Always On VPN with Prelogon then Switch to SSO? DUO and ADFS involved.

jsalmans — Thu, 17 Aug 2023 17:45:27 GMT

Greetings all.

I'm having a time trying to configure this and could use some pointers where I may be going wrong. Here is the environment:

Single portal already configured using ADFS (ADFS is also already set up with DUO MFA) with agent configurations based on AD security groups
Multiple gateways already configured based on AD security groups
Windows 10 laptop domain joined but also with a DUO MFA prompt at Windows login
I've set up two portal agent configs, one for the Always On VPN security group and the other for prelogon... auth override cookies have been configured. Prelogon tunnel rename timeout is currently set to -1. The user group based one is set to use SSO along with some other things like requiring a password to disconnect/uninstall.
Always on gateway has been configured with same auth override cookie config and also uses ADFS auth just like the portal. I had multiple agent configs (one for prelogon and one for the user security group) with different IP addressing but I've changed this to a single "any" users config for now for testing and simplicity
I have an AD generated certificate for the PC generated and installed and I believe that part is working for prelogon sign in
Split tunneling is disabled on the gateway
AD GPO has mapped drives that we want to successfully map at Windows login so the tunnel being established still at that point is important

The behavior I'm seeing:

Prelogon seems to work as I see GP logs on the firewall and I can see the tunnel established on the client
During sign in, the DUO prompt appears and allows me to do the MFA. Once that's done, Windows continues to sign in and shows the username
Once signed in, the tunnel is still established, however, it is for prelogon user still and never seems to switch to the windows/AD user. GP logs on the firewall continue to show prelogon as does the GP client if opened on the laptop. After opening the GP client (and not before), the ADFS prompt appears for the user to sign in. In can be ignored and closed and the prelogon tunnel stays.

Checking the GP logs, it looks like account info is not being handed off as part of the sign in to GP for the SSO part.

I've tried: "pangps -registerplap" and that does add a symbol allowing me to check before login if the tunnel is established. Helpful, but it didn't fix anything. I also found somewhere talking about making sure default windows and GP were the only credential providers listed in Windows registry.. DUO was in there on ours too so I deleted that key which re-enabled the login options to appear. Choosing the GP login option does seem to at least provide my username in the SSO logs but still didn't actually switch to the username in GP.

This is driving me crazy so I'm hopeful someone else has come across this and has some insight!

topic Always On VPN with Prelogon then Switch to SSO? DUO and ADFS involved. in GlobalProtect Discussions

Always On VPN with Prelogon then Switch to SSO? DUO and ADFS involved.