Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Kerberos SSO PAN-OS 7.0.1

L1 Bithead


at the moment I'm trying to set up a SSO Auth with the Admin Web Interface (and Captive Portal). I set it up like the documentation of PAN-OS 7.0 told me. I tried different Crypto types but all with the same error.

1. Log in to the KDC and open a command prompt.

2. Enter the following command, where <principal_name>,

<password>, and <algorithm> are variables. The Kerberos

principal name and password are of the firewall, not the user.

ktpass /princ <principal_name> /pass

<password> /crypto <algorithm> /ptype

KRB5_NT_PRINCIPAL /out <file_name>.keytab

If the firewall is in Federal Information Processing

Standards (FIPS) or Common Criteria (CC) mode, the

algorithm must be aes128-cts-hmac-sha1-96 or

aes256-cts-hmac-sha1-96. Otherwise, you can also

use des3-cbc-sha1 or arcfour-hmac. To use an

Advanced Encryption Standard (AES) algorithm, the

functional level of the KDC must be Windows Server

2008 or later and you must enable AES encryption for

the firewall account.

The algorithm in the keytab must match the algorithm

in the service ticket that the TGS issues to clients. Your

Kerberos administrator determines which algorithms

the service tickets use.

Then I put the keytab file into the Authentication Profile. After the commit I see in the authd.log the following:

2015-07-31 08:54:02.468 +0200 debug: pan_auth_request_process(pan_auth_state_engine.c:1514): Receive request: msg type PAN_AUTH_SSO_AUTH, conv id 68, body length 235

2015-07-31 08:54:02.468 +0200 debug: _authenticate_sso(pan_auth_state_engine.c:281): Trying to auth sso: <profile: "", vsys: "", remotehost "", ticket size 66>

2015-07-31 08:54:02.468 +0200 debug: _krb_init_token_decode(pan_authd_kerberos_sso.c:1000): succeed to base64 decode service ticket

2015-07-31 08:54:02.469 +0200 debug: check_n_set_config_env_if_gone(pan_authd_kerberos_sso.c:170): got env KRB5_CONFIG = /opt/pancfg/mgmt/global/authd/krb5.config.**.**.**.1, no need to set it up

2015-07-31 08:54:02.469 +0200 debug: check_n_set_keytab_env_if_gone(pan_authd_kerberos_sso.c:199): got env KRB5_KTNAME = /opt/pancfg/mgmt/global/authd/krb5.keytab.**.**.**.1 (service principal HTTP/**.**.**.**), no need to set it up

2015-07-31 08:54:02.469 +0200 Error:  _dislay_gss_return_code(pan_authd_kerberos_sso.c:98): GSS_S_BAD_MECH

2015-07-31 08:54:02.469 +0200 Error:  _krb_accept_sec_context(pan_authd_kerberos_sso.c:1046): gss_accept_sec_context() : Unknown error

2015-07-31 08:54:02.469 +0200 failed authentication for user ''.  Reason: Single-sign-on failed.

2015-07-31 08:54:02.471 +0200 debug: _log_auth_respone(pan_auth_server.c:240): Sent FAILED auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))

Did somebody get this to work? Is there a mistake in the documentation?

Thanks for any anwser.

Kind regards


Who Me Too'd this topic