I'm wondering regarding Kerberos SSO with Globalprotect:
From my understanding of Kerberos, the GP-Client should request a Service-Ticket for http/<fqdn-portal> and http/<fqdn-internal-gw> for authentication via SSO.
The authentication works fine, I can see a successful Kerberos auth in system log, but when I look at the output of "klist" on the GP-Client, I cannot see any service tickets for the http/... SPNs.
In addition to that, I cannot find event-ids 4769 in the DC security log (audit policy is defined, other 4769 for other services work well).
Looking forward to your input - I want to understand the Kerberos dataflow in detail.
edit: as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBiCAI we will need multiple accounts per spn - is that really the case?
I got "portal.company.com" as external gateway and portal and "internal.company.local" and want to use Kerberos SSO for all of them. How many users, SPNs and authentication profiles will I need?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!