While trying to deploy Kerberos SSO for enduser authentication I came up to the following issue with the captive portal (browser challenge).
When an end user logged in a windows (part of the domain) tries to connect to "http://neverssl.com" for example here is what's happens on the wire :
1/ The browser send a request to neverssl.com
2/ Pan redirect the browser to the captive portal with 302 to the location : http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f
3/ The browser follows the redirect and gets this response from the palo :
5/ The browser get no responses, and the authentication fails !
The problem is at step 4/ in which the paloalto should make the browser send the GET request to "http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes" instead.
I used fiddler to change the browser request number 4 (and add the :6080) and the authentication worked just fine !
I tried to search for similar bug in the KB without success , am I the only one who is facing this issue ? or am I missing something in my config ?
I'm on version 91.2 and here is my config :
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!