Kerberos SSO PAN-OS 7.0.1

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Kerberos SSO PAN-OS 7.0.1

L1 Bithead


at the moment I'm trying to set up a SSO Auth with the Admin Web Interface (and Captive Portal). I set it up like the documentation of PAN-OS 7.0 told me. I tried different Crypto types but all with the same error.

1. Log in to the KDC and open a command prompt.

2. Enter the following command, where <principal_name>,

<password>, and <algorithm> are variables. The Kerberos

principal name and password are of the firewall, not the user.

ktpass /princ <principal_name> /pass

<password> /crypto <algorithm> /ptype

KRB5_NT_PRINCIPAL /out <file_name>.keytab

If the firewall is in Federal Information Processing

Standards (FIPS) or Common Criteria (CC) mode, the

algorithm must be aes128-cts-hmac-sha1-96 or

aes256-cts-hmac-sha1-96. Otherwise, you can also

use des3-cbc-sha1 or arcfour-hmac. To use an

Advanced Encryption Standard (AES) algorithm, the

functional level of the KDC must be Windows Server

2008 or later and you must enable AES encryption for

the firewall account.

The algorithm in the keytab must match the algorithm

in the service ticket that the TGS issues to clients. Your

Kerberos administrator determines which algorithms

the service tickets use.

Then I put the keytab file into the Authentication Profile. After the commit I see in the authd.log the following:

2015-07-31 08:54:02.468 +0200 debug: pan_auth_request_process(pan_auth_state_engine.c:1514): Receive request: msg type PAN_AUTH_SSO_AUTH, conv id 68, body length 235

2015-07-31 08:54:02.468 +0200 debug: _authenticate_sso(pan_auth_state_engine.c:281): Trying to auth sso: <profile: "", vsys: "", remotehost "", ticket size 66>

2015-07-31 08:54:02.468 +0200 debug: _krb_init_token_decode(pan_authd_kerberos_sso.c:1000): succeed to base64 decode service ticket

2015-07-31 08:54:02.469 +0200 debug: check_n_set_config_env_if_gone(pan_authd_kerberos_sso.c:170): got env KRB5_CONFIG = /opt/pancfg/mgmt/global/authd/krb5.config.**.**.**.1, no need to set it up

2015-07-31 08:54:02.469 +0200 debug: check_n_set_keytab_env_if_gone(pan_authd_kerberos_sso.c:199): got env KRB5_KTNAME = /opt/pancfg/mgmt/global/authd/krb5.keytab.**.**.**.1 (service principal HTTP/**.**.**.**), no need to set it up

2015-07-31 08:54:02.469 +0200 Error:  _dislay_gss_return_code(pan_authd_kerberos_sso.c:98): GSS_S_BAD_MECH

2015-07-31 08:54:02.469 +0200 Error:  _krb_accept_sec_context(pan_authd_kerberos_sso.c:1046): gss_accept_sec_context() : Unknown error

2015-07-31 08:54:02.469 +0200 failed authentication for user ''.  Reason: Single-sign-on failed.

2015-07-31 08:54:02.471 +0200 debug: _log_auth_respone(pan_auth_server.c:240): Sent FAILED auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))

Did somebody get this to work? Is there a mistake in the documentation?

Thanks for any anwser.

Kind regards



L1 Bithead

I have the same problem. Did you ever find a solution for the same?

L1 Bithead

It started working when I  followed exactly what is described in the the KB:

I had to move the user account (mapped to the fqdn) to the OU "Users" in order to avoid the password error.

Other point is: I was using the same account created for LDAP queries (And it is a Domain Admin account). When I created a new account and followed the procedure exactly how it is it worked.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!