GlobalProtect MFA with external/USB user certificate

jwill2 — Thu, 30 Apr 2026 18:19:36 GMT

We are using LDAP for the username/password authentication and I am now trying to set up our GP Portal to use username/password AND a user certificate for MFA. I've seen some documentation that states that the GP Agent will look at the local user and computer store, but is there a way to have it look at an external device?

Also, what information needs to be on the certificate? Specifically what is GP looking for? The username as the subject? Should it be the DOMAIN\username? Or just the username?

Re: GlobalProtect MFA with external/USB user certificate

NSutfin — Fri, 01 May 2026 15:25:58 GMT

JWil2 - Where is the private key stored? On the usb as well? Services that need to leverage cert based auth need the public key and private key which windows holds in different places on the OS. The internal components in the OS respond to challenges when responding to auth requests. You could use a solution like Yubikey which is USB based but has a TPM which holds the private key material and also has an open interface that holds the public key... all in one chip. This is usually secured with a PIN so when you open a GP session, Windows will prompt you for PIN which is used to access the Yubikey material through the windows driver and then presents the cert to GP and responds to the cert process. I use this and it works well. Does that answer your question?

-Nathan

topic Re: GlobalProtect MFA with external/USB user certificate in GlobalProtect Discussions

GlobalProtect MFA with external/USB user certificate

Re: GlobalProtect MFA with external/USB user certificate