Create a Kerberos Keytab

Set up your Explicit Proxy deployment.
Get the FQDN, proxy FQDNs, and DNS CNAMEs that are required to set up your Kerberos authentication.
Kerberos authentication uses the information retrieved from the
Prisma Access
to create and configure the Kerberos keytabs. The API script retrieves the following information:
ep_geo_lb_fqdn
—The Explicit Proxy DNS FQDN used in the Explicit Proxy network load balancer configuration. This FQDN is identical to the Explicit Proxy
Explicit Proxy URL
in the
Prisma Access
UI under
Manage
Service Setup
Explicit Proxy
Explicit Proxy URL
.
If you're using Strata Cloud Manager, go to
Workflows
Prisma Access
Setup
Explicit Proxy
Infrastructure Settings
Explicit Proxy URL
.
ep_geo_lb_cname
—The DNS CNAME for the Explicit Proxy tenant.
ep_regional_fqdn
—The FQDNs used for the onboarded Explicit Proxy locations.
Explicit Proxy gives each location a public IP address for the network load balancer; the ep_regional_fqdn is the FQDN associated with that IP address. If multiple locations share the same public IP address, those locations use the same regional FQDN.
Generate an API key to use as part of a curl command.
On
Prisma Access (Managed by Strata Cloud Manager)
, select
Manage
Service Setup
Shared
Prisma Access
Setup
Infrastructure Settings
Generate New API Key
If you're using Strata Cloud Manager, go to
Workflows
Prisma Access
Setup
Prisma Access
Infrastructure Settings
Generate New API Key
.
On
Panorama Managed Prisma Access
, select
Panorama
Cloud Services
Configuration
Service Setup
Generate API Key
Create a .txt file and enter the following command options in the file:
{
"serviceType": "swg_proxy",
"location": "deployed",
"addrType": "network_load_balancer"
}
Enter the following command to retrieve the required FQDNs to use Kerberos authentication:
curl -X POST --data @option.txt -H header-api-key:Current-API-Key "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
Where
option.txt
is the .txt file you created in a previous step and
Current-API-Key
is the Prisma Access API key.
Make a note of the FQDNs.
There is at least one
ep_geo_lb_fqdn
, one
ep_geo_lb_cname
, and one
ep_regional_fqdn
per onboarded location.
Create a new user for the
Prisma Access
Explicit Proxy service in your organization’s Active Directory (AD) by entering the following command:
New-ADUser -Name "
USER_NAME" -GivenName "
USER_GIVEN_NAME" -SamAccountName "
USER_SAMACCOUNTNAME" -UserPrincipalName "
USER_NAME@
DNS_DOMAIN_NAME" -Path "
X_500_PATH" –AccountPassword (ConvertTo-SecureString “
PASSWORD” -AsPlainText -force) -Enabled $true -KerberosEncryptionType RC4,AES128,AES256
Where:
USER_NAME
is the name of the user object.
USER_GIVEN_NAME
is the user’s given name.
USER_SAMACCOUNTNAME
is the user’s Security Account Manager (SAM) name.
USER_NAME
@
DNS_DOMAIN_NAME
is the user’s user principal name (UPN).
X_500_PATH
is the X.500 path of the OU or container where the new object is created (for example,
DC=EXAMPLE,DC=COM
.)
PASSWORD
is the password to use for the account.
The following CLI example has a user name of
example
, a SAM name of
example
, a given name of
PrismaAccess EP Service User
, a UPN of
example@exmp.com
, a path of
DC=EXMP,DC=COM
, and a password of Ex@mple123:
New-ADUser -Name "example" -GivenName "PrismaAccess EP Service User" -SamAccountName "example" -UserPrincipalName "example@exmp.com" -Path "DC=EXMP,DC=COM" –AccountPassword (ConvertTo-SecureString “Ex@mple123” -AsPlainText -force) -Enabled $true -KerberosEncryptionType RC4,AES128,AES256
The previous command specifies an encryption type of RC4, which uses a weak NTLM hash. Follow your organization’s security policies and guidelines to include or exclude RC4 in this command.
Enter the following command to prevent the password from expiring and to prevent it from being changed:
Get-ADUser 
USER_NAME|Set-ADUser -PasswordNeverExpires:$True -CannotChangePassword:$true
Follow your organization’s security policies and guidelines for password expiration and rotation policies.
Enter the following command to display the newly-created user account:
Get-ADUser 
USER_NAME -property msDS-
KeyVersionNumber
Associate the SPNs and export keytab files to use with Kerberos authentication in your Windows AD.
A keytab file allows Explicit Proxy to validate the Kerberos authentication tokens provided during the traffic flows from users, servers, IoT devices, or other headless machines. During the keytab file creation, Explicit Proxy requires that the values you retrieved using the API in an earlier step be associated as ServicePrincipalNames (SPNs) with the user account you created in the step following that one.
Use the
ep_geo_lb_fqdn
,
ep_geo_lb_cname
, and
ep_regional_fqdn
values. These values allow Explicit Proxy to authenticate traffic flows to either of those proxy domains.
Generate and export a keytab using the

ep_geo_lb_fqdn

value as the service principal name (SPN) by entering the following commands:

ktpass -princ HTTP/
ep_geo_lb_fqdn@
REALM -mapuser 
DOMAIN\
USER_NAME -ptype KRB5_NT_PRINCIPAL -crypto all -pass 
PASSWORD -out 
KEYTAB_NAME_1.keytab

Where:

ep_geo_lb_fqdn
is the
ep_geo_lb_fqdn
value returned from the Explicit Proxy API script.
REALM
is the realm (for example,
EXMP.COM
).
In most cases, you enter the realm using uppercase letters.
DOMAIN
\
USER_NAME
is the domain-level logon name (for example,
EXMP\example
).
PASSWORD
is the password to use for the keytab. This password does not have to match the user password, but must match the value you create for the
ep_geo_lb_cname
and
ep_regional_fqdn
SPNs in the next steps.
KEYTAB_NAME_1
is the name of the keytab. The keytab name must be unique to this SPN.

Be sure to follow the best practices for creating SPNs and passwords.

The following CLI example has an

ep_geo_lb_fqdn

of

example.proxy.prismaaccess.com

, a

REALM

of

EXMP.COM

, a

DOMAIN

\

USER_NAME

of

EXMP\example

, a

PASSWORD

of

Ex@mple123

, and an exported keytab name of

exmp1.keytab

:

ktpass -princ HTTP/example.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp1.keytab

Generate and export a keytab using the

ep_geo_lb_cname

value as the SPN by entering the following commands:

ktpass -princ HTTP/
ep_geo_lb_cname@
REALM -mapuser 
DOMAIN\
USER_NAME -ptype KRB5_NT_PRINCIPAL -crypto all -pass 
PASSWORD -out 
KEYTAB_NAME_2.keytab

Where:

ep_geo_lb_cname
is the
ep_geo_lb_cname
value returned from the Explicit Proxy API script.
REALM
is the realm for example,
EXMP.COM
DOMAIN
\
USER_NAME
is the domain-level logon name (for example,
EXMP\example
).
PASSWORD
is the password to use for the keytab. This password must match the
ep_geo_lb_fqdn
and
ep_regional_fqdn
SPN passwords.
KEYTAB_NAME_2
is the name of the keytab you want to export. This name should be different than the other SPN keytab names you create.

The following CLI example has an

ep_geo_lb_cname

of

prisma-abcde12345.proxy.prismaaccess.com

, a

REALM

of

EXMP.COM

, a

DOMAIN

\

USER_NAME

of

EXMP\example

, a

PASSWORD

of

Ex@mple123

, and an exported keytab name of

exmp2.keytab

:

ktpass -princ HTTP/prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp2.keytab

Generate and export a keytab using the

ep_regional_fqdn

value as the SPN by entering the following commands:

ktpass -princ HTTP/
ep_regional_fqdn@
REALM -mapuser 
DOMAIN\
USER_NAME -ptype KRB5_NT_PRINCIPAL -crypto all -pass 
PASSWORD -out 
KEYTAB_NAME_3.keytab

Where:

ep_regional_fqdn
is the
ep_regional_fqdn
value returned from the Explicit Proxy API script.
REALM
is the realm (for example,
EXMP.COM
).
DOMAIN
\
USER_NAME
is the domain-level logon name (for example,
EXMP\example
).
PASSWORD
is the password to use for the keytab. This password must match the
ep_geo_lb_fqdn
and
ep_geo_lb_cname
SPN passwords.
KEYTAB_NAME_3
is the name of the keytab you want to export. This name should be different than the other SPN keytab names you create.

The following CLI example has an

ep_regional_fqdn

of

us-west-2.prisma-abcde12345.proxy.prismaaccess.com

, a

REALM

of

EXMP.COM

, a

DOMAIN

\

USER_NAME

of

EXMP\example

, a

PASSWORD

of

Ex@mple123

, and an exported keytab name of

exmp3.keytab

:

ktpass -princ HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp3.keytab

(

Optional

) If you have additional locations that use different

ep_regional_fqdn

values, and you want to create keytabs for those locations, generate and export one or more additional keytabs by repeating Step 6.c, using the

ep_regional_fqdn

value for those locations.

Create a unique keytab name for each unique

ep_regional_fqdn

. For example, if the

ep_regional_fqdn

for another location is

us-east-2.prisma-abcde12345.proxy.prismaaccess.com

, enter the following sample CLI with a unique exported keytab file name:

ktpass -princ HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp4.keytab
Delete unsupported ciphers in the created keytabs by entering the following
ktutil
commands in Ubuntu.
The following system output provides examples for cleaning up various ciphers:
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (des-cbc-crc)
2 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (des-cbc-md5)
3 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (arcfour-hmac)
4 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (aes256-cts-hmac-sha1-96)
5 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (aes128-cts-hmac-sha1-96)
# display all keytabs, get the key entry numbers to remove DES-CBC-MD5 and DES-CBC-CRC. 
# Also, enable or disable RC4-HMAC based on your organization’s policy.
for i in `ls keytab_name*.keytab`; do echo $i; klist -Kte -k $i; done

# cleanup unsupported ciphers
# entry #1 is typically des-cbc-crc
# entry #2 is typically des-cbc-md5
# entry #3 is typically arcfour-hmac

ktutil
rkt 
KEYTAB_NAME_1.keytab
delent 2 
delent 1
wkt new1.keytab
quit

ktutil
rkt 
KEYTAB_NAME_2.keytab
delent 2 
delent 1
wkt new2.keytab
quit

ktutil
rkt 
KEYTAB_NAME_3.keytab
delent 2 
delent 1
wkt new3.keytab
quit
Where
KEYTAB_NAME_1
.keytab,
KEYTAB_NAME_2
.keytab, and
KEYTAB_NAME_3
.keytab are the keytabs you created in the previous step.
(
Optional
) If you created more keytabs for other regions, remove unsupported ciphers on those keytabs by entering the previous
ktutil
command, substituting
KEYTAB_NAME_1
.keytab with the keytab name you used for the region or regions and specifying a different output file (for example,
new4.keytab
,
new5.keytab
, and so on).
Merge the keytabs you created by entering the following
ktutil
command, where new1.keytab, new2.keytab, and new3.keytab are the keytabs you created in the previous step, Be sure to include all the region-specific keytabs in this command:
ktutil
rkt new1.keytab
rkt new2.keytab
rkt new3.keytab
# if you created any additional region-specific keytab files, add them here.
wkt papxv1.keytab
quit
When complete, you use the keytab you created (
papxv1.keytab
in this example) as the keytab to use with Explicit Proxy.