topic Global Protect doesnt connect to any portal after connecting to a client certificate authentication portal in General Topics

Global Protect doesnt connect to any portal after connecting to a client certificate authentication portal

GabrielMontiel — Sat, 16 Jul 2022 00:33:07 GMT

There's portal A without client certificate auth

There's portal B with client certificate auth,

when i do the following:

Successfully connect to portal A,

Successfully connect to portal B, select a certificate and all of that,

Now im no longer allowed to connect to portal A, or any other portal thats password based, only to portal B.

(The only way to fix this, is to reinstall globalprotect client, and then its the same, but its very tedious)

The error that global protect gives is just that the certificate is not signed by a trusted certifying authority and it doesnt allow to install it.

How could this issue be fixed?

Re: Global Protect doesnt connect to any portal after connecting to a client certificate authentication portal

Adrian_Jensen — Sat, 16 Jul 2022 02:56:41 GMT

- Are requiring user login and certificate or just certificate at the portal stage (Portals->Authentication->Client Authentication)?

- On portal B, are you sending Trusted Root CAs to the client (Portals->Agent->Trusted Root CA)?

- On portal B, are you sending client certificates to the client (Portals->Agent->[config]->Authentication)?

- If, after logging in to/out of portal B, no longer able to log into portal A. If you point your browser at portal A, do you get a certificate error?

Re: Global Protect doesnt connect to any portal after connecting to a client certificate authentication portal

GabrielMontiel — Sat, 16 Jul 2022 22:36:02 GMT

I cannot give any details about portal B since we're only providers for such client, portal A is the one we're responsible for, and where i could dig more details if needed,

But yes after connecting to portal B the browser gives certificate error on the portal A website, i had the guess that maybe portal B somehow was deleting portal A certificate or changing the default certificate folder, but after manually installing the portal A certificate in the trusted root certificate folder it was still giving me errors.

this is the pangps log file after the portal B connection trying to connect to portal A:

(P11592-T13892)Debug(1792😞 07/15/22 14:18:36:524 Send response to client for request https_request

(P11592-T13892)Debug(2997😞 07/15/22 14:18:36:631 receive pan_msg_ping, 3

(P11592-T13892)Debug(3172😞 07/15/22 14:18:36:746 winhttpObj, cert error, 00000008.

(P11592-T13892)Debug(3177😞 07/15/22 14:18:36:746 winhttpObj, cert erro is 00000008

(P11592-T13892)Debug(7100😞 07/15/22 14:18:36:746 prelogin to portal result is

(null)

Re: Global Protect doesnt connect to any portal after connecting to a client certificate authentication portal

Adrian_Jensen — Wed, 20 Jul 2022 17:16:59 GMT

Are your portals using third-party signed certificates or internal CA signed certificates? It is hard to tell from the description, and not having access to portal B complicates diagnosing, but it sounds like whatever portal B is doing is breaking the certificate chain for portal A. The most obvious thing I can think of is that you are using internal CA signed certificates for your portals and portal B is pushing a new root/intermediate ca certificate that replaces the CA signing portal A's certificate, causing portal A to no longer validate. Replacing with a different CA would also break the browser from accessing/showing a secure connection.

If you fix the PC so you can sign into portal A again.... Point a browser at portal A and then look at the certificate details. Specifically look at the certificate chain and the details of the CA certs used sign it. (Below I show my gateway address in the browser, which gives a 404 error - but the important part is the SSL certificate, not the page. The portal page will give something similar.)

Then compare the above CA certificate details on portal A to the details of the CA certificate on portal B. When the GP client works on portal A, can a browser successfully connect to portal B and does the SSL cert verify?