topic Switching from GlobalProtect username &amp; password to some sort of SSO solution (on-prem AD only) in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/switching-from-globalprotect-username-amp-password-to-some-sort/m-p/383670#M878 <P>We have always used username &amp; password for authenticating GlobalProtect (using the user's AD account/password). We always connect GlobalProtect AFTER signing on to Windows first.&nbsp; So how difficult would it be to have GlobalProtect simply query Windows for the user's current signed-on creds to use instead of manually typing them? Essentially something like SSO?</P><P>&nbsp;</P><P>And is it possible to setup a 2nd gateway option for testing so we don't impact our current users?&nbsp; Basically, if users are connecting to vpn.contoso.com, we would create vpntest.contoso.com on the PA and use that to test this new configuration.&nbsp;&nbsp;</P><P>&nbsp;</P><P>NOTE: I don't want to do pre-login or anything like that. And we don't have SAML as an option or AD Federated Services.&nbsp; Just a very basic Active Directory 2016 domain, a single Palo Alto Firewall and GlobalProtect 5.1.5 for Windows 10.&nbsp;&nbsp;</P><DIV class="ms-editor-squiggler">&nbsp;</DIV> Wed, 03 Feb 2021 16:53:29 GMT jrauman 2021-02-03T16:53:29Z Switching from GlobalProtect username & password to some sort of SSO solution (on-prem AD only) https://live.paloaltonetworks.com/t5/globalprotect-discussions/switching-from-globalprotect-username-amp-password-to-some-sort/m-p/383670#M878 <P>We have always used username &amp; password for authenticating GlobalProtect (using the user's AD account/password). We always connect GlobalProtect AFTER signing on to Windows first.&nbsp; So how difficult would it be to have GlobalProtect simply query Windows for the user's current signed-on creds to use instead of manually typing them? Essentially something like SSO?</P><P>&nbsp;</P><P>And is it possible to setup a 2nd gateway option for testing so we don't impact our current users?&nbsp; Basically, if users are connecting to vpn.contoso.com, we would create vpntest.contoso.com on the PA and use that to test this new configuration.&nbsp;&nbsp;</P><P>&nbsp;</P><P>NOTE: I don't want to do pre-login or anything like that. And we don't have SAML as an option or AD Federated Services.&nbsp; Just a very basic Active Directory 2016 domain, a single Palo Alto Firewall and GlobalProtect 5.1.5 for Windows 10.&nbsp;&nbsp;</P><DIV class="ms-editor-squiggler">&nbsp;</DIV> Wed, 03 Feb 2021 16:53:29 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/switching-from-globalprotect-username-amp-password-to-some-sort/m-p/383670#M878 jrauman 2021-02-03T16:53:29Z