https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/591305#M5536 <P>Hi, Just realised have not posted how we dealt with it, so just as a closure:</P> <P>&nbsp;</P> <P>We have decided easiest way would be to remove cert from authentication requirements for brief moments when we have that issue, so have set "user credentials OR device cert required", allowed user to log in, then recreated cert once user was&nbsp; in.</P> <P>After that I just changed that back to "creds AND cert required". Few minutes of lowered protection, but solved that problem just fine.</P> Sun, 07 Jul 2024 07:37:12 GMT R.Tryba 2024-07-07T07:37:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578261#M5015 <P>Hi,</P> <P>&nbsp;</P> <P>Few of my users have not connected to GP (and to AD) for extended period of time and their computer certificate has expired.</P> <P>They are remote, so coming to office would be problematic - continent-size problematic <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I was under impression, that when i change Authentication profile from&nbsp;"Require username AND device cert" to "Require username OR device cert", I will be able to allow them to connect&nbsp; - that way their comp cert would renew and they'd be ok going forward.</P> <P>&nbsp;</P> <P>But I was wrong, GP client was not willing to connect.&nbsp; i know there is a way, as previous Manager was allowing it through, but at that time I was not working on Palo's, so not sure what else I need to amend to make it happen..</P> Sun, 25 Feb 2024 08:57:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578261#M5015 R.Tryba 2024-02-25T08:57:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578349#M5024 <P>did you change this setting on both the portal AND the gateway? Make sure you're allowing it on both for those users to be able to connect</P> Mon, 26 Feb 2024 14:05:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578349#M5024 reaper 2024-02-26T14:05:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578521#M5028 <P>Hi,</P> <P>I have today, have also as per other suggestion I saw somewhere to remove a cert profile from portal - nothing worked, it has thou for one sec showed me MFA prompt for user..&nbsp; &nbsp; but at the end it refused to connect anyway - with same "Client certificate not found" message..</P> <P>Logging call with my Palo Support company for it, but any other suggestion welcome..</P> <P>&nbsp;</P> <P>Is there any way I can generate a machine cert on my CA and install it on remote comp?&nbsp; &nbsp;Problem is that I use a specific template for it and unsure if it would work if problematic machine has no access to internal CA..</P> <P>&nbsp;</P> <P>Any other way of generating maybe self-signed cert on palo firewall (or Panorama) to allow it through?</P> Tue, 27 Feb 2024 18:04:10 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578521#M5028 R.Tryba 2024-02-27T18:04:10Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578650#M5033 <P>Have you checked the certificate profile to see if any options here are ticked</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mick_Ball_1-1709128311313.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57898i61D3DB67A970A75B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Mick_Ball_1-1709128311313.png" alt="Mick_Ball_1-1709128311313.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 28 Feb 2024 13:51:58 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578650#M5033 Mick_Ball 2024-02-28T13:51:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578653#M5035 <P>Can you not email a new certificate to the users device or do they have no connection without GlobalProtect?</P> Wed, 28 Feb 2024 14:03:00 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/578653#M5035 Mick_Ball 2024-02-28T14:03:00Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/591305#M5536 <P>Hi, Just realised have not posted how we dealt with it, so just as a closure:</P> <P>&nbsp;</P> <P>We have decided easiest way would be to remove cert from authentication requirements for brief moments when we have that issue, so have set "user credentials OR device cert required", allowed user to log in, then recreated cert once user was&nbsp; in.</P> <P>After that I just changed that back to "creds AND cert required". Few minutes of lowered protection, but solved that problem just fine.</P> Sun, 07 Jul 2024 07:37:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comp-certificate-expired-how-to-allow-users-to-log-in/m-p/591305#M5536 R.Tryba 2024-07-07T07:37:12Z