SSO Kerberos setup for Admin

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSO Kerberos setup for Admin

L1 Bithead

I have been able to set up Kerberos for explict userid/password entry at the logon screen. Now I am trying to setup SSO.

 

I at least get to the Click the button to login as user@domain.local. Yet when I proceed, I get Not Authroized.

 

System log shows 'Authorization failed for user 'user@domain.local' vs the explict login that shows a login for 'user' w/o the domain.local appended.

 

I turned on debugging and authd.log shows

 

2017-07-12 08:35:39.494 -0400 Certificate validated for user 'user@DOMAIN.LOCAL'. From: 10.1.4.40.

2017-07-12 08:35:39.496 -0400 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_SUCCESS auth response for user 'user@DOMAIN.LOCAL' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6441520795817607314)

2017-07-12 08:35:39.527 -0400 debug: pan_auth_request_process(pan_auth_state_engine.c:3208): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 36, body length 32

2017-07-12 08:35:39.527 -0400 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1527): init'ing group request (authorization)

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1368): start to authorize user "user@DOMAIN.LOCAL"

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user user@DOMAIN.LOCAL

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1477): Sent authorization response for user "user@DOMAIN.LOCAL":
role/domain="/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1

 

I tried all kinds of options for the admin user but some mapping seems to be wrong. Any idea where to look or for more debugging?

4 REPLIES 4

L3 Networker

Can you explain more what you are trying to use the single sign on for?  

 

This sounds like you are trying to authenticate to the management interface for the Palo Alto.  We were successful in setting up an LDAPs policy to talk to the Windows Domain Controller and are able to logon to Panormama and the PA FW's using our AD credentials.  There is no need to specify the domain with this option.

 

If you are trying to identify user traffic that is crossing the firewall for security rules - I would suggest a different approach.  Again this was integrated to a Windows AD domain using the WMI functionality and LDAPS to hit the domain controllers.  We also used the agent software on our Citrix servers to give more identification to systems that have mutliple user logged on locally.  This works very well and the setup was fairly simple.  No need to link into Kerberos.

L1 Bithead

i have the very exact same issue, and i think the problem is here:

 

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user user@DOMAIN.LOCAL

 

palo tries to find "user@DOMAIN.LOCAL" in it's local administrators database, instead it should simply look for "user" (without the domain). i think this is simply a software bug. 

had a ticket with palo alto support and they provided me with a workaround that is fine for our environment:

 

set auth strict-username-check no

 

maybe this helps.

Thank you RobertRostek.

 

We were trying to enable Kerberos SSO to the firewall web portal and seeing the same suspicious line in the authd log. We tried a lot of different things to make this work, but changing strict-username-check seemed to be the only thing that helped.

 

We now have our effectively-passwordless Server Admin accounts logging into the firewall with YubiKeys and our Kerberos infrastructure. Feels good.

 

Thanks Again!

  • 4320 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!