topic Re: Global Protect "Single Sign on" with Windows Hello on Windows 10 in General Topics

Global Protect "Single Sign on" with Windows Hello on Windows 10

Remo — Sun, 21 May 2017 08:49:35 GMT

Hi everyone,

I have a situation as described in the title of this post. As you probably know Global Protect installs his own Credential Provider in Windows which has to be chosen by the user. It is also possible to force the Global Protect Credential Provider, but the point is, it has to be used in order to enable single sign on for the user.

This now breaks the whole thing when combined with Windows Hello (Iris Scan, Fingerprint), because Windows Hello has his own credential provider. So in a default Global Protect configuration with pre-logon enabled (certificate profile and LDAPs authentication profile), either Global Protect single sign on or Windows Hello is working as expected:
- log in with GP CP: VPN single sign on is working but not Windows Hello
- log in with WH CP: Windows Hello is working but the user has to enter his credentials manually to Global Protect

To get the comfort of both worlds I was now thinking of a setup with the following requirements:
- Global Protect ONLY authenticates with a certificate profile
- User-ID Agents check Active Directory Logins for the VPN IP range
- Firewall is configured to get the User-to-IP mappings from the User-ID agent
- Firewall allows access to the AD (for logging in), antivirusupdates, windows updates to the pro-logon user
- all subsequent firewallrules are created for actual users, so they become "active" as soon the user-to-ip-mapping is known by the firewall

I have already tested this solution and it works as expected. Users can log in simply by "looking at their laptops" and there is no need to bother for reentering the credentials or making sure that Global Protect is set as default Credential Provider.

My question now for you all is: Am I missing some security issues with not using an authentication profile and relying on the login event in active directory?

Regards,
Remo

Re: Global Protect "Single Sign on" with Windows Hello on Windows 10

nimark — Thu, 14 Sep 2017 16:00:59 GMT

Hi Remo,

Potential workaround may be relying on Kerberos SSO. Users can perform Windows Hello to authenticate to the device (and AD/Kerberos), and then use Kerberos SSO to authenticate to GP. Some details are mentioned in the last comment of this post:

https://live.paloaltonetworks.com/t5/SME-GlobalProtect-Discussions/Is-it-possible-to-use-Windows-10-quot-Windows-Hello-quot-for/m-p/124959/

Thanks,

Nikola M

Re: Global Protect "Single Sign on" with Windows Hello on Windows 10

junior_r — Fri, 27 Oct 2017 02:35:05 GMT

Hi,

What did you end up doing? What authentcation profile did you use ldap or radius? Can I use radius?

Thanks

Re: Global Protect "Single Sign on" with Windows Hello on Windows 10

MoAlawad — Wed, 17 Nov 2021 09:40:00 GMT

Hello Remo,

I found what you have configured is very interesting, could you please share how did you make all this configurations step by step with screenshot ?

Re: Global Protect "Single Sign on" with Windows Hello on Windows 10

Tom_Buscemi — Wed, 19 Jun 2024 17:38:20 GMT

Hello Remo,

Are you willing to share your configuration with us?

Regards,

Tom

Re: Global Protect "Single Sign on" with Windows Hello on Windows 10

Brandon_Wertz — Wed, 19 Jun 2024 18:09:17 GMT

@Tom_Buscemi wrote:

Hello Remo,

Are you willing to share your configuration with us?

Regards,

Tom

You're probably better off starting your own thread with a specific issue or question you might have. This thread being almost 7 years old there is a tremendous difference in functionality between the GP client and the Windows OS. Especially with Windows Hello For Business now existing and functioning differently than the legacy Windows Hello.