GlobalProtect Certificate Prompt

mmclimans — Mon, 11 Apr 2016 13:04:58 GMT

My users using GlobalProtect on Windows are experiencing a very strange problem when they connect with GlobalProtect. I am stuck on this one, any tips, pointers, or possible solutions are much appreciated.

Usage:

Our GlobalProtect clients connect using pre-logon with certificates. We are not using SSO.

Problem:

Every once and a while, GlobalPrtect will throw a "certificate error" (see attached image of the error).

Notes:

When I check the Microsoft Certificate store, the certificate is installed correctly.
A reboot of the user's computer fixes the issue (certificate prompt does not come back)
Error happens among all the clients, completely at random (typically when they start-up their computer).

PAN-OS 7.0.3

GlobalProtect 2.2.1

Re: GlobalProtect Certificate Prompt

mmclimans — Mon, 13 Feb 2017 01:13:45 GMT

I thought I would circle back and answer this:

In Windows, if you are using self-signed certificates, I found that both the CA and machine/client certificate must be put in both the Computer and User certificate stores. I am not sure if this works for all variations of Windows, but it works in Win7, 8, and 10 from my testing.

On Windows machine, open MMC console.
File->Add/Remove Snap-ins...
Click "Certificates" and add the Computer Account certificate store.
Close out of Add/Remove Snap-ins...
Expand Computer Account store in MMC window.
1. Right click Personal->Import
  1. Import both the CA and the machine/client certificate individually.
2. Right click Trusted Root Certificates->Import
  1. Import both the CA and the machine/client certificate individually.
Do steps 1-5 again, except select "My User Account" certificate store in Step 3.

topic Re: GlobalProtect Certificate Prompt in General Topics

GlobalProtect Certificate Prompt

Re: GlobalProtect Certificate Prompt