Requirements and Recommendations for Deploying Kerberos for Explicit Proxy Deployments

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Kerberos Authentication for Explicit Proxy Deployments

Create a Kerberos Keytab

Requirements and Recommendations for Deploying Kerberos for Explicit Proxy Deployments

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access license Minimum Required Dataplane Version: PAN-OS 10.1.3 or later versions

Before you create a Kerberos keytab to implement Kerberos in an Explicit Proxy deployment, make sure that your Kerberos deployment has the following requirements and prerequisites:

Update your dataplane to PAN-OS 10.1.3 or later versions.
Make sure that you have a Kerberos account that you can use for Prisma Access to authenticate servers or devices.
An account is required to create a Kerberos keytab, which is a file that contains the principal name and encrypted Kerberos password.
Make sure that the servers and endpoints are domain-joined, which allows users and machines to securely connect to their work domain using their work network credentials.
Make sure that you forward Kerberos authentication traffic to port 8081 in the mobile users’ PAC file or in your proxy settings on the endpoint or servers.
Explicit Proxy uses port 8081 for Kerberos authentication and port 8080 for SAML authentication.
Make sure that your Kerberos administrator has the ability to create and export keytabs.
Make sure that you have the egress IP addresses of the branch or campus location where your servers, IoT devices, or headless machines are located.
You add these IP addresses to the list of addresses that are trusted by Explicit Proxy.
Follow best practices for Kerberos user authentication and creation.
It is the Kerberos account administrator’s responsibility to follow best practices to protect their Kerberos environment and prevent passwords from being compromised. Use the following best practices when creating the user accounts, password, and ServicePrincipalNames (SPNs).
Kerberos User Account Creation Best Practices:
- Do not reuse admin user accounts.
  Create a unique account name for the Kerberos account to be used with Prisma Access Explicit Proxy.
- Do not share this account with any other service; use a dedicated user account for Prisma Access Explicit Proxy.
- Ensure that the user cannot change the password for the Kerberos account.
- When selecting Kerberos account options, deselect Use Kerberos DES encryption types for this account and Do not require Kerberos preauthentication.
- Enable AES-128 and AES-256 bit encryption.
- Disable delegation for users.
- Deny the ability to log in to a remote desktop session.
- Do not enable remote control.
- Do not allow users to start programs at logon.
- You can specify users or user groups in the allow list of the Authentication profile you create to limit authentication to only the users or machines that have legitimate business needs.
SPN and Keytab Best Practices:
- Make sure that the SPN is not associated with multiple user accounts, which could cause duplicate SPN failures.
- RC4-HMAC-NT uses a weak NTML hash. Follow your organization’s security policies and guidelines to include or exclude the RC5 cipher.
- The DES-CBC-CRC and DES-CBC-MD5 ciphers have been deprecated and are not supported by Prisma Access.
- Rotate the password for the SPN on a regular basis. Follow your organization’s security policies and guidelines for password rotation.
- Follow your organization’s practices for password complexity (for example, create the SPN passwords in a truly random fashion that are not human readable and guessable).
- If you change the password for the service user, or change any other attributes, update and re-generate the new keytab and upload it to Prisma Access.
- If you onboard a new PA region, you must generate a new keytab for that region, as shown in the following steps.
The following example output shows an account that was created using Kerberos best practices.
```
PS C:\Users\Administrator> 

Get-ADUser example -Properties "*"

AccountNotDelegated  : True
AllowReversiblePasswordEncryption    : False
CannotChangePassword                 : True
CN                                   : example
Deleted                              :
DoesNotRequirePreAuth                : False
Enabled                              : True
GivenName                            : PrismaAccess EP Service User
KerberosEncryptionType               : {AES128, AES256}
msDS-SupportedEncryptionTypes        : 24
Name                                 : example
PasswordExpired                      : False
PasswordNeverExpires                 : True
PasswordNotRequired                  : False
PrincipalsAllowedToDelegateToAccount : {}
ProtectedFromAccidentalDeletion      : True
SamAccountName                       : example
servicePrincipalName                 : {HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM}
ServicePrincipalNames                : {HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM,
HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM}
SmartcardLogonRequired               : False
TrustedForDelegation                 : False
TrustedToAuthForDelegation           : False
UseDESKeyOnly                        : False
UserPrincipalName                    : HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM
```