This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

About chrkli193

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chrkli193
‎07-30-2020
since ‎01-30-2012
L1 Bithead
User Activity
User Profile
Latest posts by chrkli193
View All
User Badges
Community Statistics
Member Since ‎01-30-2012 12:32 AM
Date Last Visited ‎07-30-2020 08:49 AM
Posts 8

Re: ADFS SAML Configuration

by in General Topics
‎11-13-2017 06:45 AM
‎11-13-2017 06:45 AM
But can you add screenshots of your ADFS rules?   Thanks! ... View more

Re: ADFS SAML Configuration

by in General Topics
‎11-10-2017 09:04 PM
‎11-10-2017 09:04 PM
After a lot of trying I'm at the point that I can login via SAML to global protect. I'm using three rules in ADFS configuration: 1. Rule:   c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"] => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value); 2. Rule: 3. Rule: I use sAMAccountName instead of username in my Authentication Profile.   For just logon to global protect via SAML that seems ok.    But I want to use Clientless VPN with apps that also do a SAML authentication. At the moment the situation is the following:   I open the global protect portal and get redirected to the ADFS logon site (external Form authentication). I logon and get redirected to the Clientless VPN portal. Then I click on one app which also uses SAML authentication. I expect that the app will just open because I'm already authenticated via SAML BUT I get another ADFS authentication window (internal Windows Authentication) and have to logon again.  When I then open another app from clientless vpn portal then this works via SSO.   I think that happens because ADFS cannot map my session after I'm authenticated to the global protect portal so I think there is still missing something in the configuration of the rules.   (Another information: I had to delete encryption and signature info in ADFS for the Clientless VPN party. I don't know why but I will check this later. )   Any ideas?   Thanks!   ... View more

Re: ADFS SAML Configuration

by in General Topics
‎11-03-2017 01:45 AM
‎11-03-2017 01:45 AM
Hi,   can you add a screenshot of your rules?   Thanks ... View more

Kerberos SSO PAN-OS 7.0.1

by in General Topics
‎07-31-2015 12:07 AM
‎07-31-2015 12:07 AM
Hello, at the moment I'm trying to set up a SSO Auth with the Admin Web Interface (and Captive Portal). I set it up like the documentation of PAN-OS 7.0 told me. I tried different Crypto types but all with the same error. 1. Log in to the KDC and open a command prompt. 2. Enter the following command, where <principal_name>, <password>, and <algorithm> are variables. The Kerberos principal name and password are of the firewall, not the user. ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytab If the firewall is in Federal Information Processing Standards (FIPS) or Common Criteria (CC) mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96. Otherwise, you can also use des3-cbc-sha1 or arcfour-hmac. To use an Advanced Encryption Standard (AES) algorithm, the functional level of the KDC must be Windows Server 2008 or later and you must enable AES encryption for the firewall account. The algorithm in the keytab must match the algorithm in the service ticket that the TGS issues to clients. Your Kerberos administrator determines which algorithms the service tickets use. Then I put the keytab file into the Authentication Profile. After the commit I see in the authd.log the following: 2015-07-31 08:54:02.468 +0200 debug: pan_auth_request_process(pan_auth_state_engine.c:1514): Receive request: msg type PAN_AUTH_SSO_AUTH, conv id 68, body length 235 2015-07-31 08:54:02.468 +0200 debug: _authenticate_sso(pan_auth_state_engine.c:281): Trying to auth sso: <profile: "", vsys: "", remotehost "", ticket size 66> 2015-07-31 08:54:02.468 +0200 debug: _krb_init_token_decode(pan_authd_kerberos_sso.c:1000): succeed to base64 decode service ticket 2015-07-31 08:54:02.469 +0200 debug: check_n_set_config_env_if_gone(pan_authd_kerberos_sso.c:170): got env KRB5_CONFIG = /opt/pancfg/mgmt/global/authd/krb5.config.**.**.**.1, no need to set it up 2015-07-31 08:54:02.469 +0200 debug: check_n_set_keytab_env_if_gone(pan_authd_kerberos_sso.c:199): got env KRB5_KTNAME = /opt/pancfg/mgmt/global/authd/krb5.keytab.**.**.**.1 (service principal HTTP/**.**.**.**), no need to set it up 2015-07-31 08:54:02.469 +0200 Error:  _dislay_gss_return_code(pan_authd_kerberos_sso.c:98): GSS_S_BAD_MECH 2015-07-31 08:54:02.469 +0200 Error:  _krb_accept_sec_context(pan_authd_kerberos_sso.c:1046): gss_accept_sec_context() : Unknown error 2015-07-31 08:54:02.469 +0200 failed authentication for user ''.  Reason: Single-sign-on failed. 2015-07-31 08:54:02.471 +0200 debug: _log_auth_respone(pan_auth_server.c:240): Sent FAILED auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day)) Did somebody get this to work? Is there a mistake in the documentation? Thanks for any anwser. Kind regards Christoph ... View more
Labels:

Re: ThreatLog forwarding doesnt work

by in General Topics
‎04-14-2012 12:20 AM
‎04-14-2012 12:20 AM
I installed the 4.1.5 and now it works. Thank you! ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎07-30-2020 08:49 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks