The eagle-eyed amongst you may have noticed I used the certificate vpn.labtinker.net whilst running my Palo on the URL vpn.badtinker.net. The SAML authentication still worked because I guess the relevant public certs are in the metadata so no PKI checking; not in my set up anyway. I did eventually configure the correct certificate but the only difference it made was removing the browser warning I’d […]

My aim in this post is to get administrator access to a Palo Alto firewall using SAML authentication. The theory of this proccess is well-documented. Here is a explanation of it from Palo themselves: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVvCAK In summary, SAML allows federated authentication: basically we have a service provider (SP) and an identity provider (IdP) who trust each other. So when a user tries to authenticate to […]

I said in my previous post I would discuss how I’d got the Kerberos lab working. The thing is my notes were scrappy and instead of tidying them up it came to me that I’d created a common real-world scenario: a poorly-documented system. Often such systems are encountered by operations staff when said systems are no longer working so let’s break things and see what […]

Kerberos is a venerable and widely used authentication mechanism developed by MIT that underpins Active Directory. A lot of people have posted detailed explanations on how it works like this one: https://www.tarlogic.com/en/blog/how-kerberos-works/ But the labtinker philosophy is to lift this off the page and into a lab so let’s set the stage. There are three actors treading the LAN today: WIN10 is the client, a […]