>
    Configure Kerberos Authentication for Explicit Proxy Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: Explicit Proxy
    5. Kerberos Authentication for Explicit Proxy Deployments
    6. Configure Kerberos Authentication for Explicit Proxy Deployments
    Download PDF
    Prisma Access

    Configure Kerberos Authentication for Explicit Proxy Deployments

    Table of Contents

    Configure Kerberos Authentication for Explicit Proxy Deployments

    Find out how to configure Kerberos authentication for Explicit Proxy on Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license

    Configure Kerberos Authentication for Explicit Proxy Deployments (Strata Cloud Manager)

    1. Set up a Kerberos authentication profile.
      The profile defines how Explicit Proxy connects to the Kerberos server for mobile user authentication.
      1. Go to ManageConfigurationIdentity ServicesAuthenticationAuthentication Profiles and Add Profile.
        If you're using Strata Cloud Manager, go to ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthenticationAuthentication Profiles and Add Profile.
      2. Select the Authentication Method: Kerberos.
      3. Enter the Profile Name to identify the server profile.
        The authentication profile specifies the server profile that the portal or gateways use when they authenticate users.
      4. Enter the Kerberos Realm (up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXMP.COM has the realm EXMP.COM.
      5. Import the Kerberos Keytab (Import Keytab) youcreated earlier.
      6. Add the Users Allowed to Authenticate with this profile.
        • To select all users, Match all.
        • If you’re using the Cloud Identity Engine to populate the list of users, select the users from a list, or select all to allow all users to authenticate.
        • To add local users that can log in using Kerberos, Add Local User, add the Name, and create a Password.
          • When configuring user authentication and user mapping, use a format of userPrincipalName (UPN); other formats (such as samAccountName) are not supported.
          • Unicode character usernames are not supported.
      7. Save your changes.
    2. Associate the authentication profile with an authentication method.
      1. Go to ManageService SetupExplicit ProxyUser Authentication.
        If you're using Strata Cloud Manager, go to WorkflowsPrisma Access SetupExplicit ProxyUser Authentication.
      2. Select the Connection Name.
      3. Select an Authentication Method of Kerberos and select the Kerberos Profile you created.
      4. Save your changes.
    3. (Optional) Add the egress IP addresses of the branch or campus location where your users, servers, IoT devices, or headless machines are located to the list of trusted Explicit Proxy addresses.
      You need to do this only if you want to Skip Authentication for specific IP addresses or Use X-Authenticated User (XAU) header on incoming HTTP/HTTPS requests for identity.
      1. Go to ManageService SetupExplicit ProxyAdvanced Security Settings.
        If you're using Strata Cloud Manager, go to WorkflowsPrisma Access SetupExplicit ProxyAdvanced Security Settings.
      2. Add Address (one or more) to the Trusted Source Address field.
        If you do not add the egress endpoint IP addresses to the trusted list, Explicit Proxy forces users and machines to authenticate with SAML as well as Kerberos.
        Enter a maximum of 100,000 IP addresses.
      3. Save your changes.
    4. Create an allow-all policy rule for user authentication.
      1. Select ManageConfiguration NGFW and Prisma AccessSecurity ServicesSecurity PolicyAdd RulePre Rules..
      2. Name the rule.
      3. Set all required match criteria to Any.
      4. Set Users to Known
      5. Set Action to Allow.
      6. Save the rule.
    5. Push your configuration changes.
    6. Verify that Kerberos authentication is working with Prisma Access by viewing the traffic and authentication logs.
      1. (Decrypted traffic only) Go to ActivityLog ViewerFirewall/Traffic and check that the Kerberos authentication is working.
        If you're using Strata Cloud Manager, go to Incidents & AlertsLog ViewerFirewall/Traffic.
        Decrypted traffic displays the user name in the traffic logs.
      2. (Undecrypted traffic only) Go to ActivityLog ViewerFirewall/Authentication and check that Kerberos authentication is working correctly.
        If you're using Strata Cloud Manager, go to Incidents & AlertsLog ViewerFirewall/Authentication.
        The following fields provide more information about the authentication event:
        • Object—The website the user was attempting to access before being redirected to Kerberos to authenticate.
        • Auth Event—The status of the authentication attempt.
          Authentication Success indicates that the authentication event was successful; Authentication Failure indicates that the attempt failed and generates a log.
        • Authentication Description—If the authentication attempt failed, additional information about the type of failure.
          For example, user not allowed indicates that the user or group is not allowed to use Kerberos to authenticate, possible because it was not added to the Allow List in the authentication profile.

    Configure Kerberos Authentication for Explicit Proxy Deployments (Panorama)

    Find out how to configure Kerberos authentication for Explicit Proxy on Prisma Access.
    1. Set up a Kerberos authentication profile.
      The profile defines how Explicit Proxy connects to the Kerberos server for mobile user authentication.
      1. Go to DeviceAuthentication Profile+ Add.
      2. Select the Type: Kerberos.
      3. Enter a Name to identify the authentication profile.
      4. Enter the Kerberos Realm (up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXMP.COM has the realm EXMP.COM.
      5. Import the Kerberos Keytab you created earlier.
      6. Add users allowed to authenticate with this profile.
        • Select Advanced+ Add
        • To select all users, select all.
        • If you’re using the Cloud Identity Engine to populate the list of users, select the users from a list, or select all to allow all users to authenticate.
        • To add local users that can log in using Kerberos, type in their usernames.
          • When configuring user authentication and user mapping, use a format of userPrincipalName (UPN); other formats (such as samAccountName) are not supported.
          • Unicode character usernames are not supported.
      7. Save your changes.
    2. Associate the authentication profile with an authentication method.
      1. Go to PanoramaCloud ServicesConfiguration+ Configure.
      2. Set the Explicity Proxy FQDN.
      3. Select the Kerberos Profile you created.
      4. Select OK to save your changes.
    3. (Optional) Add the egress IP addresses of the branch or campus location where your users, servers, IoT devices, or headless machines are located to the list of trusted Explicit Proxy addresses.
      You need to do this only if you want to Skip Authentication for specific IP addresses or Use X-Authenticated User (XAU) header on incoming HTTP/HTTPS requests for identity.
      1. Go to PanoramaCloud ServicesConfigurationSettings gearAuthentication Settings.
      2. Add addresses to the Trusted Source Address field.
        If you do not add the egress endpoint IP addresses to the trusted list, Explicit Proxy forces users and machines to authenticate with SAML as well as Kerberos.
        Enter a maximum of 100,000 IP addresses.
      3. Select OK to save your changes.
    4. Create an allow-all policy rule for user authentication.
      1. Select PoliciesPre Rules + Add.
      2. Name the rule.
      3. Select Source
      4. Set Source User to known-user
      5. Set all other required values to Any.
      6. Select OK to save the rule.
    5. Commit and push your configuration changes.
    6. Verify that Kerberos authentication is working with Prisma Access by viewing the traffic and authentication logs.
      1. (Decrypted traffic only) Go to MonitorLogsTraffic and check that the Kerberos authentication is working.
        Decrypted traffic displays the user name in the traffic logs.
      2. (Undecrypted traffic only) Go to MonitorLogsAuthentication and check that Kerberos authentication is working correctly.
        The following fields provide more information about the authentication event:
        • Object—The website the user was attempting to access before being redirected to Kerberos to authenticate.
        • Auth Event—The status of the authentication attempt.
          Authentication Success indicates that the authentication event was successful; Authentication Failure indicates that the attempt failed and generates a log.
        • Authentication Description—If the authentication attempt failed, additional information about the type of failure.
          For example, user not allowed indicates that the user or group is not allowed to use Kerberos to authenticate, possibly because it was not added to the Allow List in the authentication profile.

    © 2024 Palo Alto Networks, Inc. All rights reserved.