This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Palo Alto Kerberos for sso

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Palo Alto Kerberos for sso

bbashash81
L1 Bithead

‎08-16-2025 05:52 AM

Anyone hit the same issue before?

 

2025-08-16 20:35:38.768 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or invalid keytab)

0 Likes Likes
3 REPLIES 3

bbashash81
L1 Bithead

‎08-17-2025 12:11 AM

anyone have the steps for kerberos with captival portal?

The issues i'm facing is when i enter a external website and it will prompt me with the login prompt. If i login and is working fine but end goal is to do SSO via kerberos for captival portal. 

 

From the client, i should have seen this but it doesn't appear. 

bbashash81_0-1755414425506.png

 

from the firewall without login to the prompt, i always see these error.  I have regenerate the keytab for more than 10 times. and i have check the version of kerberos from the AD server and the keytab via the below command. both are the same version.

Ktpass /in <filename.keytab>
− dsquery * -filter sAMAccountName=<accountname> -attr msDS-KeyVersionNumber

 

2025-08-17 14:58:59.172 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or invalid keytab)
2025-08-17 14:58:59.193 +0800 debug: pan_auth_request_process(pan_auth_state_engine.c:3618): Receive request: msg type PAN_AUTH_REQ_GET_AUTHD_ID, conv id 168, body length 2448
2025-08-17 14:58:59.193 +0800 debug: _log_auth_respone(pan_auth_server.c:625): Sent PAN_AUTH_GET_AUTHD_ID_SUCCESS auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7539262304362168525)

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎08-17-2025 11:10 PM

Hello @bbashash81

 

thanks for post!

 

To me this log message does not indicate an issue / authentication failure. Could you please elaborate where and for what purpose you are setting up Kerberos authentication?

If the authentication is failing there should be more detailed log after the log message you shared. Just in case, here is Configure Kerberos Single Sign-On configuration guide.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

PavelK
Cyber Elite
Cyber Elite

‎08-18-2025 05:25 PM

Hello @bbashash81

 

thank you for reply.

 

From your post it looks like that your Keytab has been generated correctly, however just in case here is a manual: How To Generate Kerberos Keytab for SSO. Make sure that FQDN for captive portal is resolvable and pointing to Firewall's interface where Captive Portal is enabled.

 

Here is the tutorial for Captive Portal setup: How to Configure Captive Portal. In Step No.6 import Kerberos Keytab. Also make sure that certificate's SAN field is FQDN of Captive Portal.

 

Make sure that in authentication policy you configured browser challenge to trigger SSO (Step No.3): Configure Kerberos Single Sign-On.

Make sure that you set redirect mode and redirect host matches certificate's SAN name: What are the client trust settings required to change the redirect URL for captive portal with Kerbe....

Finally, you will have to enable decryption: Captive Portal Not Working with HTTPS Sessions. Could you test whether captive portal SSO works for test HTTP site?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 492 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks