https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229853#M66092 <P>Do you have a Username Field specified in your Certificate Profile?</P><P>&nbsp;</P><P>If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Sep 2018 23:54:09 GMT asilliker 2018-09-06T23:54:09Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229838#M66087 <P>I have configured GlobalProtect to use Authentication Profile using LDAP (sAMAccountName) and a Certificate profile.</P><P>&nbsp;</P><P>I have user certificates pushed through Group Policy.&nbsp; The configuration works. However, I noticed a few things</P><P>&nbsp;</P><P>1) If I login as UserA and delete the certificate from UserA's personal store, VPN will not connect&nbsp; (this is expected)</P><P>2) If I login as UserA, delete UsersA certificate and import UserB's cerificate, VPN connects!&nbsp; (this is unexpected)</P><P>&nbsp;</P><P>The easy and obvious solution is don't allow export of certificates. I feel there should be a way to prevent this scenario from connecting, but haven't been able to figure it out.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Sep 2018 21:31:44 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229838#M66087 ce1028 2018-09-06T21:31:44Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229853#M66092 <P>Do you have a Username Field specified in your Certificate Profile?</P><P>&nbsp;</P><P>If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Sep 2018 23:54:09 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229853#M66092 asilliker 2018-09-06T23:54:09Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229867#M66098 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/14490">@asilliker</a>I tried setting the username field in the certificate profile to Subject Alt, It surely fixes the username issue, as it will cause the username to be username@mydomain.com and is greyed out. The problem is it will never accept the user's password, even if it's the right username/password combo.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 07 Sep 2018 01:11:28 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229867#M66098 ce1028 2018-09-07T01:11:28Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229868#M66099 <P>duh me.&nbsp;I figured it out, my authenticaiton profile needed to be changed from sAMAccountName to userPrincipalName</P> Fri, 07 Sep 2018 01:24:07 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/229868#M66099 ce1028 2018-09-07T01:24:07Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/230935#M66324 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71649">@ce1028</a>&nbsp;I am interested in getting the User certificate configured as well. Did you configure the user certificate yourself or was it done previously by someone else. Just curious if you have tips or a good reference guide to setup the user certificate correctly. I've only been able to setup device certificates with ADCS but I keep getting impersonation errors when trying to deploy user certificates. Any guide or reference point would be much appreciated.</P> Fri, 14 Sep 2018 22:00:21 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/230935#M66324 harevalo_eog 2018-09-14T22:00:21Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/231373#M66431 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/94987">@harevalo_eog</a>&nbsp;Yes, I did, it's been&nbsp;a long time since I've touched certificate services.&nbsp; See if this video helps you, at least from the ADCS side</P><P>&nbsp;</P><P><A href="https://www.youtube.com/watch?v=S7IFp8cGOLs" target="_blank">https://www.youtube.com/watch?v=S7IFp8cGOLs</A></P><P>&nbsp;</P> Wed, 19 Sep 2018 01:23:39 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-with-certificate-profle/m-p/231373#M66431 ce1028 2018-09-19T01:23:39Z