07-17-2023 04:40 PM
I'm working on an environment that uses a product called "Jamf Connect" to provide Kerberos authentication for Mac-OS users. It works for all services on the domain except for an internal GlobalProtect gateway which is configured for Kerberos SSO. Which works perfectly for domain-joined Windows machines...
When the Mac-OS client first connects to the Portal, it's prompting users for credentials which can lead to group-mapping issues if they don't enter their full account name (domain prefix or UPN). In the interests of a consistent UX, we don't want users manually authenticating to the portal/gateway so appending domains is out of the question.
Looking at authd.log, the initial Kerberos authentication appears to be successful (PAN_AUTH_SUCCESS) however the GP logs report "Authentication failed: empty password" and the client prompts for credentials. Once the credentials are submitted, the resulting debugs in authd.log are identical to those of the previous auth failure, but this time the client connects successfully.
I understand there are several factors at play, including the 3rd party Kerberos agent, however I can't see anything technically wrong with the process.
Has anyone else had GP Kerberos auth working successfully on a Mac? From what I have seen Kerberos SSO for GP is not all that common as it implies the device is already on the network (or on a pre-login tunnel if using external gateways), and Kerberos even less common on a Mac.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
