at the moment I'm trying to set up a SSO Auth with the Admin Web Interface (and Captive Portal). I set it up like the documentation of PAN-OS 7.0 told me. I tried different Crypto types but all with the same error.
1. Log in to the KDC and open a command prompt.
2. Enter the following command, where <principal_name>,
<password>, and <algorithm> are variables. The Kerberos
principal name and password are of the firewall, not the user.
ktpass /princ <principal_name> /pass
<password> /crypto <algorithm> /ptype
KRB5_NT_PRINCIPAL /out <file_name>.keytab
If the firewall is in Federal Information Processing
Standards (FIPS) or Common Criteria (CC) mode, the
algorithm must be aes128-cts-hmac-sha1-96 or
aes256-cts-hmac-sha1-96. Otherwise, you can also
use des3-cbc-sha1 or arcfour-hmac. To use an
Advanced Encryption Standard (AES) algorithm, the
functional level of the KDC must be Windows Server
2008 or later and you must enable AES encryption for
the firewall account.
The algorithm in the keytab must match the algorithm
in the service ticket that the TGS issues to clients. Your
Kerberos administrator determines which algorithms
the service tickets use.
Then I put the keytab file into the Authentication Profile. After the commit I see in the authd.log the following:
2015-07-31 08:54:02.468 +0200 debug: pan_auth_request_process(pan_auth_state_engine.c:1514): Receive request: msg type PAN_AUTH_SSO_AUTH, conv id 68, body length 235
2015-07-31 08:54:02.468 +0200 debug: _authenticate_sso(pan_auth_state_engine.c:281): Trying to auth sso: <profile: "", vsys: "", remotehost "", ticket size 66>
2015-07-31 08:54:02.468 +0200 debug: _krb_init_token_decode(pan_authd_kerberos_sso.c:1000): succeed to base64 decode service ticket
2015-07-31 08:54:02.469 +0200 debug: check_n_set_config_env_if_gone(pan_authd_kerberos_sso.c:170): got env KRB5_CONFIG = /opt/pancfg/mgmt/global/authd/krb5.config.**.**.**.1, no need to set it up
2015-07-31 08:54:02.469 +0200 debug: check_n_set_keytab_env_if_gone(pan_authd_kerberos_sso.c:199): got env KRB5_KTNAME = /opt/pancfg/mgmt/global/authd/krb5.keytab.**.**.**.1 (service principal HTTP/**.**.**.**), no need to set it up
2015-07-31 08:54:02.469 +0200 Error: _dislay_gss_return_code(pan_authd_kerberos_sso.c:98): GSS_S_BAD_MECH
2015-07-31 08:54:02.469 +0200 Error: _krb_accept_sec_context(pan_authd_kerberos_sso.c:1046): gss_accept_sec_context() : Unknown error
2015-07-31 08:54:02.469 +0200 failed authentication for user ''. Reason: Single-sign-on failed.
2015-07-31 08:54:02.471 +0200 debug: _log_auth_respone(pan_auth_server.c:240): Sent FAILED auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))
Did somebody get this to work? Is there a mistake in the documentation?
Thanks for any anwser.
It started working when I followed exactly what is described in the the KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBiCAI
I had to move the user account (mapped to the fqdn) to the OU "Users" in order to avoid the password error.
Other point is: I was using the same account created for LDAP queries (And it is a Domain Admin account). When I created a new account and followed the procedure exactly how it is it worked.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!