Create a Kerberos Keytab
Focus
Focus
Prisma Access

Create a Kerberos Keytab

Table of Contents

Create a Kerberos Keytab

Create a Keberos Keytab for deploying Kerberos for Explicit Proxy in Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Minimum Required Dataplane Version: PAN-OS 10.1.3 or later versions
After you review the requirements and recommendations for deploying Kerberos for Explicit Proxy, you're ready to create a Kerberos keytab.
For optimal performance, the keytab file should be less than 60 KB in size.
  1. Get the FQDN, proxy FQDNs, and DNS CNAMEs that are required to set up your Kerberos authentication.
    Kerberos authentication uses the information retrieved from the Prisma Access to create and configure the Kerberos keytabs. The API script retrieves the following information:
    • ep_geo_lb_fqdn—The Explicit Proxy DNS FQDN used in the Explicit Proxy network load balancer configuration. This FQDN is identical to the Explicit Proxy Explicit Proxy URL in the Prisma Access UI under WorkflowsPrisma Access SetupExplicit ProxyInfrastructure SettingsExplicit Proxy URL.
    • ep_geo_lb_cname—The DNS CNAME for the Explicit Proxy tenant.
    • ep_regional_fqdn—The FQDNs used for the onboarded Explicit Proxy locations.
      Explicit Proxy gives each location a public IP address for the network load balancer; the ep_regional_fqdn is the FQDN associated with that IP address. If multiple locations share the same public IP address, those locations use the same regional FQDN.
    1. Generate an API key to use as part of a curl command.
      • On Prisma Access (Managed by Strata Cloud Manager), select WorkflowsPrisma Access SetupPrisma AccessInfrastructure SettingsGenerate New API Key.
      • On Panorama Managed Prisma Access, select PanoramaCloud ServicesConfigurationService SetupGenerate API Key
    2. Create a .txt file and enter the following command options in the file:
      {
      "serviceType": "swg_proxy",
      "location": "deployed",
      "addrType": "network_load_balancer"
      }
    3. Enter the following command to retrieve the required FQDNs to use Kerberos authentication:
      curl -X POST --data @option.txt -H header-api-key:Current-API-Key "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
      Where option.txt is the .txt file you created in a previous step and Current-API-Key is the Prisma Access API key.
    4. Make a note of the FQDNs.
      There is at least one ep_geo_lb_fqdn, one ep_geo_lb_cname, and one ep_regional_fqdn per onboarded location.
  2. Create a new user for the Prisma Access Explicit Proxy service in your organization’s Active Directory (AD) by entering the following command:
    New-ADUser -Name "USER_NAME" -GivenName "USER_GIVEN_NAME" -SamAccountName "USER_SAMACCOUNTNAME" -UserPrincipalName "USER_NAME@DNS_DOMAIN_NAME" -Path "X_500_PATH" –AccountPassword (ConvertTo-SecureString “PASSWORD” -AsPlainText -force) -Enabled $true -KerberosEncryptionType RC4,AES128,AES256
    Where:
    • USER_NAME is the name of the user object.
    • USER_GIVEN_NAME is the user’s given name.
    • USER_SAMACCOUNTNAME is the user’s Security Account Manager (SAM) name.
    • USER_NAME@DNS_DOMAIN_NAME is the user’s user principal name (UPN).
    • X_500_PATH is the X.500 path of the OU or container where the new object is created (for example, DC=EXAMPLE,DC=COM.)
    • PASSWORD is the password to use for the account.
    The following CLI example has a user name of example, a SAM name of example, a given name of PrismaAccess EP Service User, a UPN of example@exmp.com, a path of DC=EXMP,DC=COM, and a password of Ex@mple123:
    New-ADUser -Name "example" -GivenName "PrismaAccess EP Service User" -SamAccountName "example" -UserPrincipalName "example@exmp.com" -Path "DC=EXMP,DC=COM" –AccountPassword (ConvertTo-SecureString “Ex@mple123” -AsPlainText -force) -Enabled $true -KerberosEncryptionType RC4,AES128,AES256
    The previous command specifies an encryption type of RC4, which uses a weak NTLM hash. Follow your organization’s security policies and guidelines to include or exclude RC4 in this command.
  3. Enter the following command to prevent the password from expiring and to prevent it from being changed:
    Get-ADUser USER_NAME|Set-ADUser -PasswordNeverExpires:$True -CannotChangePassword:$true
    Follow your organization’s security policies and guidelines for password expiration and rotation policies.
  4. Enter the following command to display the newly-created user account:
    Get-ADUser USER_NAME -property msDS-KeyVersionNumber
  5. Associate the SPNs and export keytab files to use with Kerberos authentication in your Windows AD.
    A keytab file allows Explicit Proxy to validate the Kerberos authentication tokens provided during the traffic flows from users, servers, IoT devices, or other headless machines. During the keytab file creation, Explicit Proxy requires that the values you retrieved using the API in an earlier step be associated as ServicePrincipalNames (SPNs) with the user account you created in the step following that one.
    Use the ep_geo_lb_fqdn, ep_geo_lb_cname, and ep_regional_fqdn values. These values allow Explicit Proxy to authenticate traffic flows to either of those proxy domains.
    1. Generate and export a keytab using the ep_geo_lb_fqdn value as the service principal name (SPN) by entering the following commands:
      ktpass -princ HTTP/ep_geo_lb_fqdn@REALM -mapuser DOMAIN\USER_NAME -ptype KRB5_NT_PRINCIPAL -crypto all -pass PASSWORD -out KEYTAB_NAME_1.keytab
      Where:
      • ep_geo_lb_fqdn is the ep_geo_lb_fqdn value returned from the Explicit Proxy API script.
      • REALM is the realm (for example, EXMP.COM).
        In most cases, you enter the realm using uppercase letters.
      • DOMAIN\USER_NAME is the domain-level logon name (for example, EXMP\example).
      • PASSWORD is the password to use for the keytab. This password does not have to match the user password, but must match the value you create for the ep_geo_lb_cname and ep_regional_fqdn SPNs in the next steps.
      • KEYTAB_NAME_1 is the name of the keytab. The keytab name must be unique to this SPN.
      Be sure to follow the best practices for creating SPNs and passwords.
      The following CLI example has an ep_geo_lb_fqdn of example.proxy.prismaaccess.com, a REALM of EXMP.COM, a DOMAIN\USER_NAME of EXMP\example, a PASSWORD of Ex@mple123, and an exported keytab name of exmp1.keytab:
      ktpass -princ HTTP/example.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp1.keytab
    2. Generate and export a keytab using the ep_geo_lb_cname value as the SPN by entering the following commands:
      ktpass -princ HTTP/ep_geo_lb_cname@REALM -mapuser DOMAIN\USER_NAME -ptype KRB5_NT_PRINCIPAL -crypto all -pass PASSWORD -out KEYTAB_NAME_2.keytab
      Where:
      • ep_geo_lb_cname is the ep_geo_lb_cname value returned from the Explicit Proxy API script.
      • REALM is the realm for example, EXMP.COM
      • DOMAIN\USER_NAME is the domain-level logon name (for example, EXMP\example).
      • PASSWORD is the password to use for the keytab. This password must match the ep_geo_lb_fqdn and ep_regional_fqdn SPN passwords.
      • KEYTAB_NAME_2 is the name of the keytab you want to export. This name should be different than the other SPN keytab names you create.
      The following CLI example has an ep_geo_lb_cname of prisma-abcde12345.proxy.prismaaccess.com, a REALM of EXMP.COM, a DOMAIN\USER_NAME of EXMP\example, a PASSWORD of Ex@mple123, and an exported keytab name of exmp2.keytab:
      ktpass -princ HTTP/prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp2.keytab
    3. Generate and export a keytab using the ep_regional_fqdn value as the SPN by entering the following commands:
      ktpass -princ HTTP/ep_regional_fqdn@REALM -mapuser DOMAIN\USER_NAME -ptype KRB5_NT_PRINCIPAL -crypto all -pass PASSWORD -out KEYTAB_NAME_3.keytab
      Where:
      • ep_regional_fqdn is the ep_regional_fqdn value returned from the Explicit Proxy API script.
      • REALM is the realm (for example, EXMP.COM).
      • DOMAIN\USER_NAME is the domain-level logon name (for example, EXMP\example).
      • PASSWORD is the password to use for the keytab. This password must match the ep_geo_lb_fqdn and ep_geo_lb_cname SPN passwords.
      • KEYTAB_NAME_3 is the name of the keytab you want to export. This name should be different than the other SPN keytab names you create.
      The following CLI example has an ep_regional_fqdn of us-west-2.prisma-abcde12345.proxy.prismaaccess.com, a REALM of EXMP.COM, a DOMAIN\USER_NAME of EXMP\example, a PASSWORD of Ex@mple123, and an exported keytab name of exmp3.keytab:
      ktpass -princ HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp3.keytab
    4. (Optional) If you have additional locations that use different ep_regional_fqdn values, and you want to create keytabs for those locations, generate and export one or more additional keytabs by repeating Step 6.c, using the ep_regional_fqdn value for those locations.
      Create a unique keytab name for each unique ep_regional_fqdn. For example, if the ep_regional_fqdn for another location is us-east-2.prisma-abcde12345.proxy.prismaaccess.com, enter the following sample CLI with a unique exported keytab file name:
      ktpass -princ HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp4.keytab
  6. Delete unsupported ciphers in the created keytabs by entering the following ktutil commands in Ubuntu.
    The following system output provides examples for cleaning up various ciphers:
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
    1 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (des-cbc-crc)
    2 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (des-cbc-md5)
    3 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (arcfour-hmac)
    4 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (aes256-cts-hmac-sha1-96)
    5 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (aes128-cts-hmac-sha1-96)
    # display all keytabs, get the key entry numbers to remove DES-CBC-MD5 and DES-CBC-CRC. 
    # Also, enable or disable RC4-HMAC based on your organization’s policy.
    for i in `ls keytab_name*.keytab`; do echo $i; klist -Kte -k $i; done
    
    # cleanup unsupported ciphers
    # entry #1 is typically des-cbc-crc
    # entry #2 is typically des-cbc-md5
    # entry #3 is typically arcfour-hmac
    
    ktutil
    rkt KEYTAB_NAME_1.keytab
    delent 2 
    delent 1
    wkt new1.keytab
    quit
    
    ktutil
    rkt KEYTAB_NAME_2.keytab
    delent 2 
    delent 1
    wkt new2.keytab
    quit
    
    ktutil
    rkt KEYTAB_NAME_3.keytab
    delent 2 
    delent 1
    wkt new3.keytab
    quit
    Where KEYTAB_NAME_1.keytab, KEYTAB_NAME_2.keytab, and KEYTAB_NAME_3.keytab are the keytabs you created in the previous step.
  7. (Optional) If you created more keytabs for other regions, remove unsupported ciphers on those keytabs by entering the previous ktutil command, substituting KEYTAB_NAME_1.keytab with the keytab name you used for the region or regions and specifying a different output file (for example, new4.keytab, new5.keytab, and so on).
  8. Merge the keytabs you created by entering the following ktutil command, where new1.keytab, new2.keytab, and new3.keytab are the keytabs you created in the previous step, Be sure to include all the region-specific keytabs in this command:
    ktutil
    rkt new1.keytab
    rkt new2.keytab
    rkt new3.keytab
    # if you created any additional region-specific keytab files, add them here.
    wkt papxv1.keytab
    quit
    When complete, you use the keytab you created (papxv1.keytab in this example) as the keytab to use with Explicit Proxy.