Captive portal browser challenge issue

Karim.Benyelloul · ‎04-16-2020

Hi team,

While trying to deploy Kerberos SSO for enduser authentication I came up to the following issue with the captive portal (browser challenge).

When an end user logged in a windows (part of the domain) tries to connect to "http://neverssl.com" for example here is what's happens on the wire :

1/ The browser send a request to neverssl.com

2/ Pan redirect the browser to the captive portal with 302 to the location : http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f
3/ The browser follows the redirect and gets this response from the palo :

HTTP/1.1 200 OK
Date: Thu, 16 Apr 2020 15:29:51 GMT
Content-Type: text/html
Content-Length: 909
Connection: keep-alive
Cache-Control: no-cache
Set-Cookie: SESSID=f4MBAV6Yee96xCU+AwMFAg==; path=/

<HTML>
<HEAD>
<TITLE>Kerberos V5 Authentication Redirection</TITLE>
<meta http-equiv="refresh" content="5; url=http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes&challengetimeout=yes">
</HEAD>
<BODY>
<script language="Javascript" type="text/javascript">
if(typeof(Storage) != "undefined") {
       var orig_url = "";
       sessionStorage.setItem ("isoffline", 0); 
       if(orig_url != "")
           sessionStorage.setItem("origurl", orig_url); 
    }
window.location = "http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes"; 
</script> 
<p><b>Kerberos V5 Authentication Redirection</b></p>
<p>In case you see this page,
    <ol>
        <li>Your browser does not support both Kerberos and NTLM authentication.  Waiting for refresh.</li>
        </ol>
</p>
</BODY>
</HTML>

4/ The browser executes the javascript and sends a GET request to "http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauth..."

5/ The browser get no responses, and the authentication fails !

The problem is at step 4/ in which the paloalto should make the browser send the GET request to "http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=http://neverssl.com%2f&preauthid=&returnreq=yes" instead.

I used fiddler to change the browser request number 4 (and add the :6080) and the authentication worked just fine !

I tried to search for similar bug in the KB without success , am I the only one who is facing this issue ? or am I missing something in my config ?

I'm on version 91.2 and here is my config :

Karim.Benyelloul · ‎04-19-2020

Hi everyone, does anyone ever come across this issue ? Just want to make sure if I'm missing something in my config or no

Karim.Benyelloul · ‎04-23-2020

anyone ? 🙂

Jafar_Hussain · ‎07-05-2020

@Karim.Benyelloul

I am facing a kind of similar issue. i want to know what did you allow to fix this issue.

i am not able to open the browser but i can telnet my CP url.

Thanks in advance.

Unlock your full community experience!

Captive portal browser challenge issue

Captive portal browser challenge issue

Show your appreciation!