Test a Kerberos Authentication Profile
The following example shows how to test a Kerberos profile named Kerberos-Profile for a user named User5-Kerberos and how to troubleshoot error conditions that arise. For details on using the test authentication command, see Run the Test Authentication Command.
Kerberos Authentication Profile Test Example
On the PAN-OS firewall, Configure a Kerberos Server Profile and Configure an authentication profile. In the authentication profile, you select the new Kerberos server profile in the Server Profile drop-down.
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
(Firewalls with virtual systems configured) Define the target virtual system that the test command will access. This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys. To define the target vsys: admin@PA-3060> set system setting target-vsys <vsys-name> For example, if the user is defined in vsys2, run the following command: admin@PA-3060> set system setting target-vsys vsys2 The target-vsys command is per-login session, so the system clears the option when you log off.
Run the following CLI command: admin@PA-3060> test authentication authentication-profile Kerberos-Profile username User5-Kerberos password
When prompted, enter the password for the User5-Kerberos account. The following output shows that the test failed: Do allow list check before sending out authentication request... name "User5-Kerberos" is in group "all" Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos' Realm: 'Bad-MGMT-GROUP.LOCAL' Egress: 10.5.104.98 KERBEROS configuration file is created KERBEROS authcontext is created. Now authenticating ... Kerberos principal is created Sending authentication request to KDC... Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316) Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos" Authentication failed for user "User5-Kerberos" In this case, the output shows Wrong realm, which indicates that the Kerberos realm has an incorrect value.
To resolve this issue, modify the Kerberos server profile and ensure that the Realm value is correct by comparing the realm name on the Kerberos server. On the firewall, select Device > Authentication Profiles and modify the profile named Kerberos-Profile. In the Kerberos Realm field, enter the correct value. In this case, the correct realm is mgmt-group.local. Click OK to save the change.
Run the test command again. The following output shows that the test is successful: Do allow list check before sending out authentication request... name "User5-Kerberos" is in group "all" Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos' Realm: 'MGMT-GROUP.LOCAL' Egress: 10.5.104.98 KERBEROS configuration file is created KERBEROS authcontext is created. Now authenticating ... Kerberos principal is created Sending authentication request to KDC... Authentication succeeded! Authentication succeeded for user "User5-Kerberos"

Related Documentation