GlobalProtect 6.3.3 + Duo SAML MFA loop after normal Windows login (works only via GP Credential Provider at Windows logon)

Marco_DiFrancesco — Wed, 13 May 2026 14:24:32 GMT

Hi everyone,

we are currently facing a strange issue with GlobalProtect + Duo MFA and have been able to narrow it down quite a bit.

I wanted to check if anyone has already seen this behavior.

Environment

GlobalProtect Client: 6.3.3-c876
Prisma Access Mobile Users
Dataplane Version: 10.2.4
Authentication: SAML via Cisco Duo
Cisco Duo federated to Microsoft Entra ID
Windows Hello for Business enabled
No Pre-Logon
No Connect Before Logon
Authentication Override Cookies enabled
Tested with Save User Credentials = Yes and No
Tested with Default Browser and Embedded Browser

Authentication Flow

The authentication flow is:

GlobalProtect / Prisma Access
→ Cisco Duo SAML
→ Microsoft Entra ID

So the direct IdP configured in Prisma Access is Cisco Duo, while Duo itself is federated with Entra ID.

Problem

We are getting an MFA/SAML authentication loop, but only under specific conditions.

Works correctly

If the user authenticates via the GlobalProtect icon / Credential Provider on the Windows login screen and enters username/password there.

Result:

Duo MFA succeeds
VPN connects normally
no authentication loop

Does NOT work

If the user logs into Windows normally first and GP connects afterward automatically.

It does not matter whether Windows login is done via:

Windows Hello PIN
regular Windows password
biometrics

Behavior:

Duo MFA succeeds
Redirect back to GlobalProtect
GP immediately starts a new auth request
MFA prompt appears again
endless loop

Relevant client log entry

In PanGPA.log we consistently see:

RetrieveGPCred failed. hr = 1168

This seems directly related to the issue.

Already tested

Browser mode

Default Browser
Embedded Browser

=> no difference

SSO

Use Single Sign-On = Yes
Use Single Sign-On = No

=> no difference

Save User Credentials

=> no difference

Authentication Override

Generate Cookie enabled
Accept Cookie enabled
same certificate
same lifetime

=> no difference

Interesting observation

The problem does NOT occur when the full authentication flow is handled through the GP Credential Provider at the Windows login screen.

The issue only happens with:

normal Windows login
followed by automatic GP connection afterward

This makes us suspect:

credential retrieval issue
WAM/PRT/WHfB-related behavior
or possibly a bug in post-logon credential handling

Question

Has anyone seen similar issues with:

GP 6.3.x
Windows Hello for Business
Duo SAML federated to Entra ID
Prisma Access
RetrieveGPCred failed. hr = 1168

Particularly interested in:

known bugs
recommended GP versions
workarounds
known WAM / WHfB issues

Thanks in advance!

topic GlobalProtect 6.3.3 + Duo SAML MFA loop after normal Windows login (works only via GP Credential Provider at Windows logon) in GlobalProtect Discussions

GlobalProtect 6.3.3 + Duo SAML MFA loop after normal Windows login (works only via GP Credential Provider at Windows logon)

Environment

Authentication Flow

Problem

Works correctly

Does NOT work

Relevant client log entry

Already tested

Browser mode

SSO

Save User Credentials

Authentication Override

Interesting observation

Question