https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/489940#M104897 <P>&nbsp;I had this exact same problem a few weeks ago on a PC which the user had upgraded to Win11 (without permission but..).</P><P>&nbsp;</P><P>The problem is that the upgrade broke permissions for the GP client to access the private key, but it could read the public portion of the certificate just fine. Using MMC, nothing was apparent as being wrong. The fix is to manually export the user's certificate, including the private key, and save it. Delete the certificate from the user's cert store. Then re-import the saved key back into the certificate store. The GP client will now be able to read the private key. Alternatively, you can delete the old certificate and regenerate it (though you probably need to be connected/domain joined to do that in most cases).</P><P>&nbsp;</P><P>See my previous thread:</P><P><A href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-with-client-certificate/m-p/484315/thread-id/2718" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-with-client-certificate/m-p/484315/thread-id/2718</A></P> Mon, 23 May 2022 20:37:34 GMT Adrian_Jensen 2022-05-23T20:37:34Z https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/489605#M104882 <P>Our customer is having issues with GP&nbsp;5.2.10-6 on Windows 11. They are using client certificates for authentication and after a while a connection fails due to no client certificate present. If we check MMC the certificate is present, valid and has private key.&nbsp;</P><P>But GP logs say:</P><P>(P9292-T12792)Error(2290): 05/23/22 07:03:00:014 error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY</P><P>(P9292-T12792)Debug(2377): 05/23/22 07:03:00:014 winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now</P><P>(P9292-T12792)Debug(4578): 05/23/22 07:03:00:014 winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000</P><P>&nbsp;</P><P>There is a reddit post about it:</P><P><A href="https://www.reddit.com/r/sysadmin/comments/sd3m6v/windows_11_tpm_and_vpn_issue/" target="_blank">https://www.reddit.com/r/sysadmin/comments/sd3m6v/windows_11_tpm_and_vpn_issue/</A></P><P>&nbsp;</P><P>But nothing on PA forums or KB. How many ppl are having similar issues? Any more info from PA support about this?</P> Mon, 23 May 2022 09:47:28 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/489605#M104882 santonic 2022-05-23T09:47:28Z https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/489940#M104897 <P>&nbsp;I had this exact same problem a few weeks ago on a PC which the user had upgraded to Win11 (without permission but..).</P><P>&nbsp;</P><P>The problem is that the upgrade broke permissions for the GP client to access the private key, but it could read the public portion of the certificate just fine. Using MMC, nothing was apparent as being wrong. The fix is to manually export the user's certificate, including the private key, and save it. Delete the certificate from the user's cert store. Then re-import the saved key back into the certificate store. The GP client will now be able to read the private key. Alternatively, you can delete the old certificate and regenerate it (though you probably need to be connected/domain joined to do that in most cases).</P><P>&nbsp;</P><P>See my previous thread:</P><P><A href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-with-client-certificate/m-p/484315/thread-id/2718" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-with-client-certificate/m-p/484315/thread-id/2718</A></P> Mon, 23 May 2022 20:37:34 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/489940#M104897 Adrian_Jensen 2022-05-23T20:37:34Z https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/490156#M104902 <P>Thank you for info&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184804">@Adrian_Jensen</a></P><P>In our case it's fresh installations of Windows 11. First the access with GP works for a couple of days, weeks, months... and then it stops. After that the new client certificate has to be installed and the access starts working again.</P><P>&nbsp;</P> Tue, 24 May 2022 06:31:17 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/490156#M104902 santonic 2022-05-24T06:31:17Z https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/490696#M104913 <P>If you export/re-import the old certificate does it work again? Or does it have to be a new certificate?</P> Tue, 24 May 2022 15:27:58 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/490696#M104913 Adrian_Jensen 2022-05-24T15:27:58Z https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/491311#M104943 <P>The certificates are marked as non exportable so they can't in a 'normal' way. I know there is a way with MimiKatz... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Wed, 25 May 2022 07:15:57 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-on-windows-11-client-certificate-issue/m-p/491311#M104943 santonic 2022-05-25T07:15:57Z