06-05-2019 02:23 AM - edited 06-05-2019 02:40 AM
Hi Community,
I'm wondering regarding Kerberos SSO with Globalprotect:
From my understanding of Kerberos, the GP-Client should request a Service-Ticket for http/<fqdn-portal> and http/<fqdn-internal-gw> for authentication via SSO.
The authentication works fine, I can see a successful Kerberos auth in system log, but when I look at the output of "klist" on the GP-Client, I cannot see any service tickets for the http/... SPNs.
In addition to that, I cannot find event-ids 4769 in the DC security log (audit policy is defined, other 4769 for other services work well).
Looking forward to your input - I want to understand the Kerberos dataflow in detail.
Best Regards
Chacko
edit: as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBiCAI we will need multiple accounts per spn - is that really the case?
I got "portal.company.com" as external gateway and portal and "internal.company.local" and want to use Kerberos SSO for all of them. How many users, SPNs and authentication profiles will I need?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
