https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45364#M33342 <HTML><HEAD></HEAD><BODY><P>Yea - the GP client does&nbsp; run and say services connected after login.&nbsp; I have one portal client config for prelogon&nbsp; configured for ANY user/user group with SSO enabled </P><P></P><P>My thinking is that because of the user account im testing with did not initially download the config settings it doesn't have a cookie but I thought if SSO is enabled it passes the user credentials used during login to the GP client.</P></BODY></HTML> Thu, 30 Jul 2015 17:07:01 GMT sross79 2015-07-30T17:07:01Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45360#M33338 <HTML><HEAD></HEAD><BODY><P>So i 've been having some issues getting GP prelogon working correctly.&nbsp; As of right now - GP will make the VPN connection before logon(i am able to ping my device prior to logon) and after i login with a cached account it maintains its VPN connection and i have full network access, no issues. </P><P></P><P>However, when i log in using a non-cached account - it creates a temp profile, while still maintaining the VPN connection.&nbsp; I am under the impression that that prior to logon i have a network connection will full access(which i do) so i should be able to create a regular user profile.&nbsp; My non-cached user account is obviously being authenticated but i am still getting a temp profile.&nbsp;&nbsp;&nbsp; I do not see any errors in the system log and no traffic is being denied.&nbsp; Only thing that sticks out is a few errors in the panGPS.log</P><P></P><P>(T2256) 07/09/15 13:05:41:193 Info ( 109): SSL connect failed (error:00000001:lib(0):func(0):reason(1))</P><P>(T2256) 07/09/15 13:05:41:193 Info ( 157): connect() failed</P><P>(T2256) 07/09/15 13:05:41:193 Error(5765): Protocol error. Check server certificate. Failed to ssl connect to 'xx.xxxxx.com:443', Disconect ssl and returns false.</P><P></P><P>Which i don't understand because it still works technically. The server cert works fine i dont get any cert errors when i web browse to the address.&nbsp; So any ideas on why i am getting a temp profile after i log in?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 09 Jul 2015 21:30:47 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45360#M33338 sross79 2015-07-09T21:30:47Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45361#M33339 <HTML><HEAD></HEAD><BODY><P>Hi sross79</P><P></P><P>First I have some questions:</P><P>What OS are you using?</P><P>What version of GP Client do you have installed?</P><P>Are you able to ping the computer over the VPN connection during the whole loginprocess?</P><P>Is it possible to map the drive of the computer while it is connected and no user is logged in?</P><P>(I assume this is working when you log in with this particular user while the computer is located in your corporate network?)</P><P>Do you also checked the thead log for blocked connections?</P><P>Do you habe this error messages before or after the userlogin?</P><P></P><P>What you also could try if the connection is there without any deny entries in the log is decreasing the MTU size on the computer where you have installed GP.</P><P>Regards,</P><P>Remo</P></BODY></HTML> Thu, 30 Jul 2015 16:47:44 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45361#M33339 Remo 2015-07-30T16:47:44Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45362#M33340 <HTML><HEAD></HEAD><BODY><P>Hi thanks for the Reply - I actually got it create a standard profile now.&nbsp; It was an error on my part. I incorrectly deleted the profile.&nbsp; Once deleted some registry keys it worked correctly. </P><P></P><P>The problem I have now - is that it doesn't switch to the logged in user from Prelogon. </P><P></P><P>So Prelogon is working correctly - I can ping the device prior to logon and full network access.&nbsp; After I login, the prelogon user is still being used and it does not SSO to show the logged in user.</P></BODY></HTML> Thu, 30 Jul 2015 16:57:24 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45362#M33340 sross79 2015-07-30T16:57:24Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45363#M33341 <HTML><HEAD></HEAD><BODY><P>Does a GP Login window show up after you are logged in completely? Did you configre the client config in the portal configuration to use SSO for this particular user or only for the pre-logon user?</P></BODY></HTML> Thu, 30 Jul 2015 17:02:31 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45363#M33341 Remo 2015-07-30T17:02:31Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45364#M33342 <HTML><HEAD></HEAD><BODY><P>Yea - the GP client does&nbsp; run and say services connected after login.&nbsp; I have one portal client config for prelogon&nbsp; configured for ANY user/user group with SSO enabled </P><P></P><P>My thinking is that because of the user account im testing with did not initially download the config settings it doesn't have a cookie but I thought if SSO is enabled it passes the user credentials used during login to the GP client.</P></BODY></HTML> Thu, 30 Jul 2015 17:07:01 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45364#M33342 sross79 2015-07-30T17:07:01Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45365#M33343 <HTML><HEAD></HEAD><BODY><P>Depends on what login credential provider you used for logging in. This problem I had also&nbsp; that it didnt pass the credentials even I had SSO configured</P></BODY></HTML> Thu, 30 Jul 2015 17:09:35 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45365#M33343 Remo 2015-07-30T17:09:35Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45366#M33344 <HTML><HEAD></HEAD><BODY><P>Not sure I follow - what do you mean login credential provider? Just windows 7 login screen</P></BODY></HTML> Thu, 30 Jul 2015 17:12:42 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45366#M33344 sross79 2015-07-30T17:12:42Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45367#M33345 <HTML><HEAD></HEAD><BODY><P>I think Palo creates his own login credential provider. So you have to make sure that you use the Global Protect login credential provider in order to make SSO work.</P><P></P><P>On this picture you should see what I mean:</P><P><IMG alt="cp-tiles.jpg" class="image-0 jive-image" src="https://ip1.i.lithium.com/e58147ba14c6d9f66557702492f68357a5ca96a9/68747470733a2f2f74777269676874736f6e2e66696c65732e776f726470726573732e636f6d2f323031322f30312f63702d74696c65732e6a7067" style="height: 232px; width: 620px;" /></P></BODY></HTML> Thu, 30 Jul 2015 18:42:31 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-prelogon-using-non-cached-ad-account/m-p/45367#M33345 Remo 2015-07-30T18:42:31Z