SSO Kerberos Authentication for Admin Access Keytab Generation

Printer Friendly Page

Kerberos SSO: Kerberos Authentication for Admin access Keytab generation is used to supply the windows credentials automatically to the login prompt when a user accesses the WebGUI of the firewall. A network that supports Kerberos SSO prompts a user to log in only for initial access to the network (for example, logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network (for example, the firewall web interface) without having to log in again, until the SSO session expires. (Your Kerberos administrator sets the duration of SSO sessions.)


You enable SSO for a Palo Alto Networks device by importing a Kerberos keytab into an authentication profile. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the device, which is required for SSO authentication. Each authentication profile can have one keytab. If SSO authentication fails, the device prompts the user to log in manually and performs authentication of the type specified in the profile (for example, RADIUS).




Kerberos SSO Admin authentication. Generation of keytabs for SSO and Active Directory settings


For customers who want to use Kerberos SSO authentication for their environment.



Authentication failing due to a malformed keytab.




Here is a step-by-step procedure for generation of the keytab and the prerequisites:


  • Service account on the domain controller which will carry the credentials.

For the service account, you need to enable AES 128 bit encryption / AES 256 bit encryption if the encryption algorithm is AES 128/256.


To enable the above settings, open the user account and click on Account, you will observe the encryption algorithm under Account options.


Service-account-privdleges.pngService account settings



  • Some settings under the browser.

For IE, the settings can be found under the below hierarchy:

Internet options> Security> Local intranet (sites button) > Advanced> add service FQDN to the list.


Here under websites, add the firewall’s fqdn or you can use *.domain.local.


Please note: Chrome will use IE settings.


 IE-setting.pngIE settings


For firefox, type about:config as URL and search trusted URLs.

Enter the service FQDN in the value.

 firefox.pngFirefox settings


  • Here is a command that can be used to identify the encryption algorithm on the Domain controller:

 1. klist Command: 

 C:\Users\admin> klist
Client: gpdomuser1 @ GPQA.LOCAL
        Server: HTTP/keytabgpgw61.gpqa.local @ GPQA.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 <- Information regarding the encryption algorythm.
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authentok_as_delegate name_canonicalize
        Start Time: 10/1/2015 13:11:33 (local)
        End Time:   10/1/2015 23:09:18 (local)
        Renew Time: 10/8/2015 13:09:18 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called: thirugpwinad.gpqa.local


2. setspn Command:

 setspn -s http/fqdn domain\service account


For example
setspn -s http/ abc.local\service_account_username



3. The command for creating of the keytab is as follows: 

ktpass -princ http/ -mapuser service_account_username -pass acct_password -crypto aes256-sha1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\xyz-test.keytab -mapop set


Tags (2)

The right syntax for ktpass at Windows 2012 R2 domain controller is:


ktpass -princ http/firewall.domain.local@DOMAIN.LOCAL -mapuser service_account@DOMAIN.LOCAL -pass service_account_password -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\firewall.keytab -mapop set


Pay attention to the spaces (I'm not sure if domain name is typed in lowercase or UPPERCASE). 



In the commands above (setspn and keytab), do we need to use the FQDN of the firewalls or of the captive portal's reponse page, when we are going to use Kerberos SSO on authetication profile for captive portal?






1. On AD Domain Contoller, use klist command to get the KerbTicket Encryption Type 

2. Create an AD account (e.g. SvcPaloAltoKerbHTTP) and match the Encryption type from klist:

  • For AES128-SHA1 cipher strength, make sure This account supports AES 128 bit encryption is checked; all others (except password never expires) are unchecked.
  • For AES256-SHA1 cipher strength, make sure This account supports AES 256 bit encryption is checked; all others (except password never expires) are unchecked.
  • For RC4-HMAC-NT cipher strength, make sure all options (except password never expires) are unchecked.
  • For DES-CBC-CRC cipher strength, make sure Use Kerberos DES encryption types for this account and make sure all options (except password never expires) are unchecked.

3. On AD Domain Contoller, run command: setspn -s HTTP/captiveportal.DOMAIN.LOCAL DOMAIN.LOCAL\SvcPaloAltoKerbHTTP


4. On Domain Controller, run command: ktpass -princ HTTP/captiveportal.DOMAIN.LOCAL @DOMAIN.LOCAL  -mapuser SvcPaloAltoKerbHTTP@DOMAIN.LOCAL -pass “password-goes-here” -crypto <Crytp from klist> -ptype KRB5_NT_PRINCIPAL -out c:\temp\SvcPaloAltoKerbHTTP_<YYYYMMDDHHMM>.keytab -mapop set


  • IMPORTANT: Every time you run the command to create the Keytab file, you MUST import the updated keytab file on the firewall. Otherwise the Firewall and AD go out of sync. (Do not import previously created keytab files if you have run the command again). Everytime you run the command you will note the vno number increment by 1.

5. Open the AD user account for the Service Account, and confirm the account has been changed to the SPN (User logon name) field.


NOTE: We had to repeat this process for a HTTPS account too (You may not need to.)


6. Set-up your Web-browsers. NB: No need for Safari Mac or Windows (it uses NPEGO)


NB: Perhaps use AD GPO's or Jamf for Macs, to do this centrally.


7. For the FW interface where the users are, configure on the firewall:  Network – Network profiles – interface management.

Emable Response Pages and User-ID.


8.  Create the Firewall authentication profile and import the keytab file/s created earlier. Again, you may need a HTTP and HTTPS auth profile - Thus a user account and keytab file for each. 


9. Create Firewall Authentication sequence (Device > Authentication Sequence). Adding both the Profiles created above.


10. Create a Fireall authentication policy to match criteria. I suggest you set the users to unknown, and use the pre-built 'default-browser-challenge' authentication enforcement.


11. Set Captive Portal (Device > User Identification > Captive Portal Settings ). Set the authentication profile to use your authentication sequence. 




A> Test Firewall Kerberos Authentication Connectivity to AD: 

test authentication authentication-profile <auth profile name> username  <example standard user> password


B> Removing User-ID mappings (From command line of firewall:)


show user ip-user-mapping-mp ip <ip address>

show user ip-user-mapping ip <ip address>

clear user-cache-mp ip <ip address>

clear user-cache ip <ip address>


C> Check for Kerb Session tickets on end-points: (From command line of clients)

Windows:  klist tickets

Mac: klist -A


D> Purge klist Session tickes on Windows machines (From command line of client)

Klist purge

Followed by Y on each ticket you wish to purge


E> Check Firewall auth logs when attempting to test the solition (Really helpful)

From command line of firewall: tail follow yes mp-log authd.log


Hope this helps.