Global Protect - valid certificate client is required

noobynetwork — Wed, 18 Jan 2023 05:34:09 GMT

all of a sudden at the beginning of this week, our Global protect clietns have been failing with "valid certificate client is required"

the environment is set for machine cert auth (windows adcs)

now, to get around this issue we have turned off CRL in the certificate profile, but still at a loss

tried the latsst version of gp client

checked ntp

ps. its the same result on all our firewalls, until we turn off CRL

the only thing that might stick, is our issuing ca was patched, then our issues started a few days later.

the best log ive found so far is "a certificate chain could not be built to a trusted root auth"

but our chain is valid,

any ideas what else to do?

Re: Global Protect - valid certificate client is required

aleksandar.astardzhiev — Wed, 18 Jan 2023 13:36:30 GMT

Hi @noobynetwork ,

"the only thing that might stick, is our issuing ca was patched, then our issues started a few days later."
Was your CA renewed around the server patching?

"now, to get around this issue we have turned off CRL in the certificate profile, but still at a loss"

"ps. its the same result on all our firewalls, until we turn off CRL"

I am confused does it work after you disable CRL or still not?

The error message you receive speak for itself - you firewall is not trusting the machine certificate that your user are providing during authentication. However there are couple of reasons this could happen:

- Machine certificate has expired and it was not renewed automatically. On one of the affected machine check the certificate store and see if the machine certificate that should be used for GP is valid (not expired)

- Certificate Profile on GP portal/gateway not listing correct CAs. If machine certificate is signed by CA that is not in the Cert profile used by the GP portal/gateway, GP client wouldn't know which client cert to use and wouldn't provide any. Check one of the affected client certs and confirm that the issuing CA is in the cert profile

- CA certificate was renewed. If you have renewed your CA recently, some of the machines may already have enrolled client certs from the new CA, while some are still cert issued from the old CA. The old and the new CA may have exact same CN, but they are different. In this case you will need to import both CAs to the firewall and use them in the cert profile.

- RL endpoints listed in the certificate profile are not reachable. You can check this KB, not exactly the same issues, but could give you directions how to confirm if CRL is not reachable https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMSlCAM

topic Global Protect - valid certificate client is required in GlobalProtect Discussions

Global Protect - valid certificate client is required

Re: Global Protect - valid certificate client is required