SSO Kerberos setup for Admin


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L1 Bithead

SSO Kerberos setup for Admin

I have been able to set up Kerberos for explict userid/password entry at the logon screen. Now I am trying to setup SSO.


I at least get to the Click the button to login as user@domain.local. Yet when I proceed, I get Not Authroized.


System log shows 'Authorization failed for user 'user@domain.local' vs the explict login that shows a login for 'user' w/o the domain.local appended.


I turned on debugging and authd.log shows


2017-07-12 08:35:39.494 -0400 Certificate validated for user 'user@DOMAIN.LOCAL'. From:

2017-07-12 08:35:39.496 -0400 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_SUCCESS auth response for user 'user@DOMAIN.LOCAL' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6441520795817607314)

2017-07-12 08:35:39.527 -0400 debug: pan_auth_request_process(pan_auth_state_engine.c:3208): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 36, body length 32

2017-07-12 08:35:39.527 -0400 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1527): init'ing group request (authorization)

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1368): start to authorize user "user@DOMAIN.LOCAL"

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user user@DOMAIN.LOCAL

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1477): Sent authorization response for user "user@DOMAIN.LOCAL":
role/domain="/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1


I tried all kinds of options for the admin user but some mapping seems to be wrong. Any idea where to look or for more debugging?

L3 Networker

Can you explain more what you are trying to use the single sign on for?  


This sounds like you are trying to authenticate to the management interface for the Palo Alto.  We were successful in setting up an LDAPs policy to talk to the Windows Domain Controller and are able to logon to Panormama and the PA FW's using our AD credentials.  There is no need to specify the domain with this option.


If you are trying to identify user traffic that is crossing the firewall for security rules - I would suggest a different approach.  Again this was integrated to a Windows AD domain using the WMI functionality and LDAPS to hit the domain controllers.  We also used the agent software on our Citrix servers to give more identification to systems that have mutliple user logged on locally.  This works very well and the setup was fairly simple.  No need to link into Kerberos.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!