Thursday, March 9, 2017

Quick note on troubleshooting password based Kerberos authentication on a Palo Alto Networks firewall

While endeavoring to test a Kerberos based authentication profile on a clients Palo Alto Networks I ran into a couple of error messages that need a little clarification.

To test the authentication I connected to the CLI on the firewall and issued the following command:
 test authentication authentication-profile client-test-1 username genesyswave password
This prompts me to enter my password and the firewall will then use either the management interface (default) or the configured service route interface for the authentication server type (LDAP, RADIUS, Kerberos or TACACS+).

In the first attempt I received the following ,message:
Failed to initialize KERBEROS auth context: Improper format of Kerberos configuration file
A quick search of the Internet returned results about the device not being properly joined to the realm, but that is not required for password based authentication to Kerberos on a Palo Alto Networks firewall. 
I then checked the authd.log for more specifics on the Kerberos configuration file 
pan_authd_create_krb5_config(pan_authd_shared_util.c:186): krb5 config:
[libdefaults]
    dns_lookup_kdc = false
    default_realm = DOMAIN.CLIENT.COM

[realms]
DOMAIN.CLIENT.COM = {
    kdc = 
    default_domain = pge
}
This indicates that there is a DNS name resolution issue with the firewall.  DNS was not configured on this particular firewall.  

DNS configuration was updated.

Tested the authentication again and received a different error message:
Authentication failure: KDC server at 'server-IP:88' is not reachable (code:-1765328228)
This message indicates a different issue. The firewall is unable to connect to the KDC servers. Either it is a routing issue or there is something preventing the connection from completing successfully.  In my client's case there is a Cisco firewall between the management interfaces an the Kerberos servers. After adding a rule to the other firewall, the authentication succeeded.

*Note - republished with corrected title, apologies for the gooft