Globalprotect Kerberos Service Tickets

Reply
Highlighted
L4 Transporter

Globalprotect Kerberos Service Tickets

Hi Community,

 

I'm wondering regarding Kerberos SSO with Globalprotect:

From my understanding of Kerberos, the GP-Client should request a Service-Ticket for http/<fqdn-portal> and http/<fqdn-internal-gw> for authentication via SSO.

 

The authentication works fine, I can see a successful Kerberos auth in system log, but when I look at the output of "klist" on the GP-Client, I cannot see any service tickets for the http/... SPNs.

In addition to that, I cannot find event-ids 4769 in the DC security log (audit policy is defined, other 4769 for other services work well).

 

Looking forward to your input - I want to understand the Kerberos dataflow in detail.

 

Best Regards

Chacko

 

edit: as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBiCAI we will need multiple accounts per spn - is that really the case?

I got "portal.company.com" as external gateway and portal and "internal.company.local" and want to use Kerberos SSO for all of them. How many users, SPNs and authentication profiles will I need?

Best Regards
Chacko
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!