Decommission of Kerberos from ASA 9.22

Available Languages

Download Options

  • PDF     (859.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.0 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (717.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 20, 2025
Document ID:222875

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes insight on Kerberos Deprecation from ASA 9.22.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of basic security concepts:

    • Basic Knowledge of ASA CLI.
    • Basic knowledge of AAA (Authentication, Authorization, and Accounting)

    Components Used

    The information in this document is based on these software and hardware versions:

    • All ASA platforms
    • ASA CLI 9.22.1
    • ASDM 7.22.1
    • CSM 4.29

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    ASA CLI Configuration Walkthrough

    ASA CLI Overview:

    • In the command output, the options inbold italichave been removed from the CLI. 
    • Upgrades from versions prior to 9.22 that contain these configurations result in a warning message on the console during boot time. 

    ciscoasa(config)# aaa-server kerb protocol ?

    configure mode commands/options:

      http-form  Protocol HTTP form-based

      kerberos   Protocol Kerberos (DEPRECATED)     

      ldap       Protocol LDAP

      radius     Protocol RADIUS

      sdi        Protocol SDI

      tacacs+    Protocol TACACS+

    ciscoasa(config)# aaa-server kerb protocol kerberos

    ciscoasa(config-aaa-server-group)# ?

    AAA server configuration commands:

      exit                 Exit from aaa-server group configuration mode

      help                 Help for AAA server configuration commands

      max-failed-attempts  Specify the maximum number of failures that allowed for any server in the group before that server is deactivated

      no                   Remove an item from aaa-server group configuration

      reactivation-mode    Specify the method by which failed servers are reactivated

      validate-kdc         Enable KDC validation during kerberos user auth

    ciscoasa(config)# test aaa-server authentication kerb ? 

    exec mode commands/options: 

      delegate     Test Kerberos constrained delegation 

      host         Enter this keyword to specify the IP address for the server 

       impersonate  Test Kerberos protocol transition 

       password     Password keyword 

       self         Test Kerberos self-ticket retrieval 

       username     Username keyword 

    ciscoasa(config)# aaa-server ldaps protocol ldap  

    ciscoasa(config-aaa-server-group)# aaa-server ldaps host x.x.x.x 

    ciscoasa(config-aaa-server-host)# sasl-mechanism ? 

    aaa-server-host mode commands/options: 

      digest-md5  select Digest-MD5 

      kerberos    select Kerberos

    ciscoasa(config)# debug kerberos

    ASDM Configuration Walkthrough

    ASDM overview:

    • Kerberos is no longer supported from ASDM 7.22
    • This deprecates the ability for end users to configure AAA server groups with the Kerberos Protocol as well as the LDAP SASL mechanism.
    • As part of this deprecation, AAA Kerberos is no longer listed in TreeMenu under Users/AAA in Device Management.
    • Microsoft KCD Server is also no longer supported.

    ASDM: Kerberos Protocol in New AAA Server GroupASDM: Kerberos Protocol in New AAA Server Group

    ASDM: AAA KerberosASDM: AAA Kerberos

    ASDM: Kerberos Protocol in New AAA Server GroupASDM: Kerberos Protocol in New AAA Server Group

    ASDM: Kerberos Configuration for LDAP SASLASDM: Kerberos Configuration for LDAP SASL

    CSM Configuration Walkthrough

    CSM Overview:

    • Kerberos Protocol is no longer supported.
    • This deprecates the ability for end users to configure AAA server groups with the Kerberos Protocol as well as the LDAP SASL mechanism.
    • Microsoft KCD Server is also no longer supported.
    • Instead of removing Kerberos Support from CSM, it is handled in Activity Validation.
    • Activity Validation throw an Error message for 9.22.1 ASA version onwards saying, Kerberos protocol is not supported from 9.22.1 version onwards.

    CSM Kerberos ConfigurationCSM Kerberos Configuration

    PATH: CSM>Firewall > AAA Rules > AAA Server Group > Add > Kerberos

    1. Save
    2. Preview Config for Activity Validation result.

    Protocol is not Supported

    CSM Kerberos Configuration for LDAP SASLCSM Kerberos Configuration for LDAP SASL

    PATH: CSM>Firewall > AAA Rules > AAA Server Group > Add >Protocol > LDAP >SASL

    1. Save
    2. Preview Config for Activity Validation result.

    Protocol is not Supported

    Revision History

    Revision Publish Date Comments
    1.0
    20-Mar-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Manjunath Krishna
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco