topic Re: GlobalProtect - PW Prompt when LDAP Auth is down. in General Topics

GlobalProtect - PW Prompt when LDAP Auth is down.

mmclimans — Tue, 20 Oct 2015 19:44:22 GMT

Hi all,

I tried support on this, didn't get much help. I am using PANOS 7.0 and GlobalProtect 2.2.1

I have a couple hundred GlobalProtect clients using Windows. I am using pre-logon (always on) with LDAP authentication. The goal is to have the GlobalProtect clients to stay connected to the gateway at all times, or keep trying to connect until a gateway becomes available.

The boxes auto-connect and auto-reconnect on their own 95% of the time. However, in an event where the LDAP servers go down (i.e. maintenance or interruption), the user is prompted for a password even though pre-logon is being used and the user has selected "Remember me" within the client. Please note, I am using certificates for pre-logon, but I can not use SSO.

I have included a screenshot of the issue. ANY HELP is appreciated.

Client config

Error on client:

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

pankaku — Tue, 20 Oct 2015 22:12:22 GMT

If the LDAP server is down then how the firewall will authenticate. As the LDAP is down so authentication fails so firewall is asking for credentials again.

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

OtakarKlier — Tue, 20 Oct 2015 22:54:45 GMT

How about setting up multiple ldap servers for redundancy? This way you can reboot one or more and still retain functinality.

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

mmclimans — Wed, 21 Oct 2015 03:13:19 GMT

I am not sure if I understand what you mean by the firewall authenticating. If you are referring to the admin login for the firewall that uses local authentication, not LDAP.

What I am striving for is a truely "always on" solution. In my view, when pre-logon says "always on" it should never ask the clients for credentials when the authentication server is down.

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

mmclimans — Wed, 21 Oct 2015 03:15:58 GMT

Thanks for the reply. I appreciate the recommendation. We currently have two LDAP servers. We have seen a couple of situations where the communication between the LDAP server and the clients becomes interrupted for one reason or another.

I am wondering if there is some sort of registry setting for the Windows GP clients... something to supress the prompt?

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

reaper — Wed, 21 Oct 2015 07:14:17 GMT

pre-logon vpn is a partial vpn that would allow a user to load logon scripts etc while the workstation boots into normal operational mode. This access is granted with a decreased level of authentication.

Once the logon sequence completes the user will always be required to 'make himself known' by authenticating. the pre-logon vpn mode cannot be used while in normal windows 'desktop' mode.

To get around this you could try using an authentication sequence in the gateway configuration' authentication (instead of a single ldap profile) where two ldap profiles provide redundancy

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

mmclimans — Wed, 21 Oct 2015 13:41:22 GMT

That makes sense. I am wondering though why the client prompts for a password even though the client has checked off "remember me."

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

reaper — Wed, 21 Oct 2015 14:38:13 GMT

that may require a little more troubleshooting, you'll first want to figure out what is happening to the ldap exactly.

you could set up an wireshark on the ldap server or run a tcpdump on the firewall while testing a failed connection like this. maybe the ldap does respond to the authentication but in an unexpected way, making the Gateway reprompt the user for credentials because it thinks the authentication failed.

the user/pass prompt would typically appear if something like that happens or if the password is changed or expired. GP debug log may help shed some light on this as well

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

mmclimans — Tue, 27 Oct 2015 13:53:56 GMT

I've opened this as a case with Palo Alto. I will post my findings.

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

markk96 — Wed, 28 Oct 2015 19:44:06 GMT

I point my ldap server at the root domain and not a single server, so it is setup as ldap server : corp.firm.local and it works without problems, the client querys whatever domain controller it can find.