Kerberos for Internal Gateway for Windows
GlobalProtect clients running on Windows 7, 8, or 10 now support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. A network that supports Kerberos SSO prompts users to log in only for initial access to the GlobalProtect portal or gateway. After initial login, users can access any browser-based service in the network (for example, webmail) without having to log in again until the SSO session expires. (The Kerberos administrator sets the duration of SSO sessions.)
In this implementation, the GlobalProtect portal and gateway act as Kerberos service principals and the GlobalProtect agent acts as a user principal to authenticate the user with a Kerberos service ticket from the Key Distribution Center (KDC).
Kerberos SSO is primarily intended for internal gateway deployments to provide accurate User-ID information transparently without user interaction. Using Kerberos SSO to authenticate remote users that connect to external gateways is supported but is not widely used because such a deployment requires you to host your authentication infrastructure in a DMZ.
If you enable both Kerberos SSO and external authentication services (for example, a RADIUS server), GlobalProtect tries SSO first. You can configure GlobalProtect to fall back to an external service for authentication when SSO fails or you can configure GlobalProtect to use only Kerberos SSO for authentication.
To support Kerberos SSO, your network requires the following:
A Kerberos infrastructure, including a KDC with an authentication server (AS) and ticket-granting service (TGS). Additionally, to use Kerberos SSO for external gateway authentication, you must deploy the Kerberos infrastructure in a DMZ. A Kerberos service account for each GlobalProtect portal and gateway that authenticates users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the device. The SSO process requires the keytab.
Use the following procedure to configure Kerberos SSO for GlobalProtect.
Configure Kerberos Single Sign-On for GlobalProtect
Create a Kerberos keytab. Log in to the KDC and open a command prompt. Enter the following command, where <principal_name> , <password> , and <algorithm> are variables. The Kerberos principal name and password are those configured for the GlobalProtect portal or gateway, not for the user. ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytab If the GlobalProtect portal or gateway is in FIPS or CC mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 . If the portal or gateway is not in FIPS or CC mode, you can also use des3-cbc-sha1 or arcfour-hmac . To use an Advanced Encryption Standard (AES) algorithm, the functional level of the KDC must be Windows Server 2008 or later and you must enable AES encryption for the device account. The algorithm in the keytab must match the algorithm in the service ticket that the TGS issues to clients. (The Kerberos administrator determines which algorithms the service tickets use.)
Import the keytab into an authentication profile. When using this authentication profile for GlobalProtect gateway or portal authentication or when including this profile in an authentication sequence, the portal and gateway challenge the GlobalProtect agent for a Kerberos service ticket. Configure an authentication profile. Configure authentication profile settings ( Name, Location, Type, User Domain, and Username Modifier). In the event that Kerberos authentication fails, you can also configure GlobalProtect to authenticate using the credentials according to the Type specified here. For more information about enabling Kerberos authentication fall back, see Step 5. In the Single Sign-On settings, enter the Kerberos Realm (usually the DNS domain to which users belong, except that the realm is uppercase). Import the Kerberos Keytab you created.
Assign the authentication profile to internal gateways. If your Kerberos authentication infrastructure is deployed in a DMZ, you can also assign the authentication profile to external gateways. Configure GlobalProtect Gateways. Select Network > GlobalProtect > Gateways and then select an existing gateway configuration or Add a new one. Select Authentication and then select an existing client authentication configuration or Add a new one. Configure the Name, OS, Kerberos Authentication Profile that you configured in Step 2, and Authentication Message to display when the user logs in.
Assign the authentication profile to the GlobalProtect portal authentication configuration. Configure the GlobalProtect Portal. Select Network > GlobalProtect > Portals and then select an existing portal configuration or Add a new one. Select Authentication and then select an existing client authentication configuration or Add a new one. Configure the Name, OS, Kerberos Authentication Profile that you configured in Step 2, and Authentication Message to display when the user logs in.
Configure the behavior when Kerberos SSO fails. Customize the GlobalProtect Agent. Select the Agent tab of a GlobalProtect portal configuration and select an existing agent configuration or Add a new one, select the App tab and, in App Configurations settings, specify whether to ( New ) Use Default Authentication on Kerberos Authentication Failure (Windows Only): Yes —Enables authentication fall back so that GlobalProtect can authenticate users with their username and password as determined by the authentication Type specified in the authentication profile (Local Database, RADIUS, LDAP, or TACACS+) if Kerberos authentication fails. No —Forces GlobalProtect to use only Kerberos to authenticate users. Click OK and then click OK again.
Save your changes. Commit your changes.