Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

Captive portal browser challenge issue

L1 Bithead

Hi team,


While trying to deploy Kerberos SSO for enduser authentication I came up to the following issue with the captive portal (browser challenge).



When an end user logged in a windows (part of the domain) tries to connect to "" for example here is what's happens on the wire :

1/ The browser send a request to

2/ Pan redirect the browser to the captive portal with 302 to the location : http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url=
3/ The browser follows the redirect and gets this response from the palo :

HTTP/1.1 200 OK
Date: Thu, 16 Apr 2020 15:29:51 GMT
Content-Type: text/html
Content-Length: 909
Connection: keep-alive
Cache-Control: no-cache
Set-Cookie: SESSID=f4MBAV6Yee96xCU+AwMFAg==; path=/

<TITLE>Kerberos V5 Authentication Redirection</TITLE>
<meta http-equiv="refresh" content="5; url=http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url=">
<script language="Javascript" type="text/javascript">
if(typeof(Storage) != "undefined") {
       var orig_url = "";
       sessionStorage.setItem ("isoffline", 0); 
       if(orig_url != "")
           sessionStorage.setItem("origurl", orig_url); 
window.location = "http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url="; 
<p><b>Kerberos V5 Authentication Redirection</b></p>
<p>In case you see this page,
        <li>Your browser does not support both Kerberos and NTLM authentication.  Waiting for refresh.</li>


4/ The browser executes the javascript and sends a GET request to "http://palologin.kabe.lab/php/browser_challenge.php?vsys=1&rule=0&url="


5/ The browser get no responses,  and the authentication fails   !


The problem is at step 4/ in which the paloalto should make the browser send the GET request to "http://palologin.kabe.lab:6080/php/browser_challenge.php?vsys=1&rule=0&url="  instead.

I used fiddler to change the browser request number 4 (and add the :6080) and the authentication worked just fine !


I tried to search for similar bug in the KB without success ,  am I the only one who is facing this issue ? or am I missing something in my config ?

I'm on version 91.2 and here is my config :



Who Me Too'd this topic