Authentication Sequence

Reply
L3 Networker

Authentication Sequence

I got two AD Domains.

I did the two ldap and two kerberos configs

In the Authentication Sequence ch-dom ist the first one and the second is stebos. They are both kerberos profiles

Users in ch-dom can authenticate. User in stebos get immediatly a auth failer.

LDAP is working on both AD, I can see users and groups.

In Traffic Monitor I don't see kerberos traffic to the ad server holding stebos. Whats wrong??

Mar 20 11:27:40 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:40 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:40 User 'ch-dom\testvpn' failed authentication.  Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:41 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:41 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:41 User 'stebos\testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.
Mar 20 11:27:41 User 'testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:41 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:41 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:41 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:41 User 'ch-dom\testvpn' failed authentication.  Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:42 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:42 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:42 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:42 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:42 User 'stebos\testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: True.
Mar 20 11:27:42 User 'testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Not applicable

multiple instances of the same user id in different domains?

Question: why LDAP and kerberos?  Why not just use kerberos? You using 4.1.x PAN OS and 4.1 pan agent?

The fact that LDAP can browse and see the users and groups is independent of Kerberos being able to. If the auth sequences are using kerberos, and all users from stebos domain are failing, then maybe the kerberos server profile for that domain is incorrectly set?

L3 Networker

ldap is only for group matching thats correct.

Well i found out that keberos is not working on that domain...currently I have no idea why it works on ch-dom and do not work on stebos. Could that be a DNS issue?

L3 Networker

Oh yes I use 4.1.4 PAN OS and no i use user identification on the interface since i need it for global protect.

L3 Networker

Looks like i found my own answer

DNS Entries

If you are using Active Directory, it is easiest to use the AD DNS server as the PAN firewall DNS server. DNS entries already exist on this server that are needed for Kerberos authentication.   If this option is not possible, make sure the DNS server that the PAN is using has Service Location(SRV) DNS entries for _kerberos._tcp and _kerberos._udp.


L3 Networker

I tried doing this with proxy dns, since I have two AD with 2 independent DNS Server...but that dosn't work...how can i configure that?

L6 Presenter

In Device -> Config (or if it is Config -> Device) you have service route configuration where you can select which interface should be used for the DNS queries that the PAN itself will need (among other settings). In the same view (before you click on service route configuration) you can setup which DNS the PAN unit will use for lookups.

L3 Networker

Screenshot removed

L6 Presenter

No, ignore that dns proxy.

DNS proxy is to do stuff when a client sends dns-queries.

"Firewalling dns queries" if you like to call it...

When PAN needs to do queries you go to device tab, choose setup. Then you select "services" - here you type in which NTP and DNS the PAN unit itself will use.

Then you click on service route configuration to instruct the PAN unit which interface it should use to reach NTP, DNS etc for its own use (default is mgmt-interface I think).

L3 Networker

Well and how shall i setup two kerberos when there are two independent dns sever for each AD?

The only way I see is over DNS Proxy...and why should that not work when i can configure that in setup?

For what else is that DNS Proxy Object when not for excatly this issue?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!