topic Re: Global Protect authentication happened twice while LDAP and Okta Auth in GlobalProtect Discussions

Global Protect authentication happened twice while LDAP and Okta Auth

tthapa23 — Mon, 25 Sep 2023 17:22:15 GMT

Recently we moved to PA-3410 software version 11.0.1-h2 from PA-850 software version 10.2.3-h4 .

on both firewalls

GlobalProtect Agent

6.1.1

We have selected option for authentication override

On Portals
Generate cookie for authentication override

on Gateway
Accept cookie for authentication override

https://supportcases.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

It was working perfectly fine with single okta prompt on PA-850 but after moving onto the PA-3410 GP okta auth prompts twice.

As PAN TAC has suggested cleared GP and Laptop web browser cache.

1. Try clearing the Browser cache and Cache file by referring below document.
https://live.paloaltonetworks.com/t5/globalprotect-discussions/clearing-globalprotect-cookies/td-p/354097

2. How to uninstall GlobalProtect Agent software completely in Windows
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNGHCA2

Uninstall the GlobalProtect App for macOS
https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-user-guide/globalprotect-app-for-mac/uninstall-the-globalprotect-app-for-mac

3. Form the firewall, there is a method to clear the cache of GlobalProtect for Connected users by imposing the below commands. (This might prevent you from uninstalling it on each user if it works).

> show global-protect-gateway current-user (To check connected users)

> clear user-cache all type GP ( To delete the cache for connected users).

After doing everything above mentioned, still GP Okta auth prompts twice. is there anyone have solutions and suggestion for this issue?

Re: Global Protect authentication happened twice while LDAP and Okta Auth

Raido_Rattameister — Mon, 25 Sep 2023 17:58:44 GMT

Monitor > Logs > GlobalProtect

Filter:

( eventid eq 'portal-auth' ) or ( eventid eq 'gateway-auth' )

Add "Auth Method" and "Error" columns.

What auth methods and errors you see?

Re: Global Protect authentication happened twice while LDAP and Okta Auth

tthapa23 — Mon, 25 Sep 2023 18:26:41 GMT

auth_method is saml.
Authentication is happens successful but our users issue is Okta-auth prompt appears twice.

Re: Global Protect authentication happened twice while LDAP and Okta Auth

tthapa23 — Mon, 25 Sep 2023 18:27:20 GMT

Re: Global Protect authentication happened twice while LDAP and Okta Auth

tthapa23 — Mon, 25 Sep 2023 18:42:21 GMT

Please ignore first attachment. second logs event is which i tried login back GP.

Re: Global Protect authentication happened twice while LDAP and Okta Auth

Raido_Rattameister — Mon, 25 Sep 2023 18:54:11 GMT

Example:

Client connects to portal.

Tries cookie.

Cookie is expired so uses "auth-sequence" to log in.

Portal generates new cookie for user.

Your log screenshot don't reveal what is happening on your side during same process.

Re: Global Protect authentication happened twice while LDAP and Okta Auth

tthapa23 — Mon, 25 Sep 2023 19:00:27 GMT

Error says user is not in allow list.

Re: Global Protect authentication happened twice while LDAP and Okta Auth

Raido_Rattameister — Tue, 26 Sep 2023 06:17:59 GMT

I think it is better for you to go back to TAC with this info - user is not in allowlist when using cookies and let them figure out.

Without seeing more details it is hard to troubleshoot further.

You can try to set allowlist to "all" under auth profile (Device > Authentication Profile > Auth-Profile-Name > Advanced tab) and test if it starts working and go from there.

Re: Global Protect authentication happened twice while LDAP and Okta Auth

tthapa23 — Wed, 27 Sep 2023 03:30:25 GMT

Hi Raido_Rattameister,

Thank you for your prompt replies and suggestions.
Its was working perfectly fine , when we upgraded PA-3410 from

Software Version

10.2.3-h4

Software Version

11.0.1-h2

PAN TAC came back with answer " Its KNOWN Bug on this Software Version 11.0.1-h2". They asked us to test the below scenario
1. Remove generate cookie from the portal.
2. Generate and accept cookies at the gateway only.

The above scenario will trigger the SAML redirect during the first login and from 2nd login, it will trigger a redirect to SAML only for the portal and the gateway will login as per cookie. After changing above suggested options it started working with single SAML Okta auth prompt but its temporary workaround. They are working on permanent hotfix solution on this version. I will keep updated here.