12-16-2025 05:56 AM
Hi,
I have 2 devices running in active-passive HA.
I want to use kerberos SSO for the admin ui.
with one device it is working, but how can i add a second spn?
12-17-2025 12:37 PM
For Kerberos SSO access to the PAN-OS admin UI in an Active/Passive HA pair, you do not configure a second SPN on the firewall. The correct and supported design is to use one shared management FQDN and one Kerberos SPN, used by both HA peers.
Kerberos authentication is based on the service hostname (FQDN), not on the individual firewall device. The browser requests a Kerberos ticket for:
HTTP/<management-FQDN>
As long as both firewalls present the same FQDN and use the same service account, Kerberos authentication will work on either unit after failover.
Choose a single management FQDN
Example:
fw-admin.company.com
This FQDN must always resolve to the currently active firewall’s management IP.
Use one Active Directory service account
Example:
svc_pan_fw_kerberos
This account will be used by both firewalls.
Create the SPN (run once in Active Directory)
Run the following command from a domain controller or a system with RSAT installed:
setspn -A HTTP/fw-admin.company.com svc_pan_fw_kerberos
Verify the SPN:
setspn -L svc_pan_fw_kerberos
Configure both firewalls identically
On both HA peers:
Use the same Kerberos authentication profile
Use the same AD server profile
Use the same service account (svc_pan_fw_kerberos)
Access the admin UI using the same FQDN (fw-admin.company.com)
Access method
Administrators must always access the firewall using the shared FQDN, not the individual management IP or hostname of each unit.
Do NOT create separate SPNs per firewall.
Do NOT bind the SPN to an IP address.
Do NOT use different hostnames for each HA peer.
The SPN must be associated with only one AD account.
With this configuration:
Kerberos SSO works on the active firewall
After HA failover, Kerberos continues to work without any changes
No second SPN is required or supported
If Kerberos works on one device today, this means the SPN and service account are already correct. The remaining requirement is to ensure both firewalls use the same configuration and are accessed through the same management FQDN.
12-18-2025 07:41 AM
PAN-OS does not have a built-in way to make a management FQDN automatically move between Active/Passive HA peers.
To ensure Kerberos SSO continues working, the shared management FQDN must always resolve to the active firewall’s management IP, and this must be handled outside the firewall.
DNS-based solution (most common)
Create one FQDN (e.g. fw-admin.company.com)
Point it to the active firewall’s management IP
Use a low DNS TTL (30–60 seconds)
Update DNS manually or with an external script that detects HA failover
Reverse proxy / load balancer
Place a proxy in front of both management interfaces
The proxy has the stable FQDN and forwards traffic only to the active firewall
No DNS changes needed during failover
Cloud floating IP (cloud-only)
Some cloud platforms can move a virtual IP between HA peers
This is handled by the cloud, not PAN-OS
PAN-OS does not support a floating/virtual management IP on physical firewalls
You must not create multiple SPNs
Administrators must always access the firewall using the shared FQDN
The solution relies on DNS or infrastructure, not firewall configuration
Bottom line:
Use a single management FQDN and a single SPN, and control where that FQDN points using DNS or an external proxy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
