topic Re: GlobalProtect Client Certificate not Found in General Topics

GlobalProtect Client Certificate not Found

LukeBullimore — Thu, 14 Mar 2019 11:38:05 GMT

Hi All,

I am trying to demo pre-logon and am really struggling with the client certificate authentication side of things.

I've generated a Root CA on the firewall which has been imported into the Personal and Trusted Root Stores of the machine.

The portal is set to use this certificate via a certificate profile which has been configured.

Connect method has been set to pre-logon always on.

When I attempt to access the VPN on the desktop, I get the message "Required client certificate not found". Despite the fact that the cert specified in the certificate profile is in all the right certificate stores.

Help! (GP Version 4.1.8)

Cheers,

Luke.

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Thu, 14 Mar 2019 14:27:14 GMT

not sure about pre logon stuff but for my certificate auth i created a root CA on the Palo, i then genereated another certificate for a user that was signed by that CA.

I then exported the user cert in pks12 format and imported that cert into the computer or user personal store.

the original CA is in the cert profile listed under portal and gateway auth.

you will also need to ensure the GP portal app allows bot user and comp store.

Re: GlobalProtect Client Certificate not Found

LukeBullimore — Thu, 14 Mar 2019 14:34:20 GMT

Hey @Mick_Ball

I've just tried this and unfortunately, I still get the same result. Was your user cert marked as a CA? Mine currently isn't.

Any other suggestions?

Thanks,

Luke.

Re: GlobalProtect Client Certificate not Found

xen-pv — Thu, 14 Mar 2019 14:47:08 GMT

Hi,

Did you create a Root CA, Intermediate CA and Machine Cert so the whole certificatechain is complete?

Root and Intermediate needs to be marked as CA.

If so you should be able to export the Machine Certificate as PKCS as MickBall mentioned and import it to your local certificate (computer)store.

Section B in the below link should help you wuth all the steps for certificate authentication.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

Did you do any specific settings in the Certificate Profile? Ive seen some strange issues if some of the boxes are marked.

/PV

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Thu, 14 Mar 2019 14:54:12 GMT

no, my users certs are not CA they just show the CA as the issuer.

ok why dont you go back a step and forget the pre logon stuff and firstly just get the cert auth to work without pre logon.

the other info coming in fro @xen-pv may be more helpful for pre logon as we do not actually use it,

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Thu, 14 Mar 2019 15:00:42 GMT

sorry i meant to say go back a step just to test your cert auth, once you've got that sussed then add pre-logon.

Re: GlobalProtect Client Certificate not Found

LukeBullimore — Thu, 14 Mar 2019 15:50:05 GMT

Hi @Mick_Ball

I disabled prelogon and still get the same result.

@xen-pv

I just tried with the full chain and the still result. Self-signed root and intermediate on the firewall, both specified in the cert profile.

Generated a primary cert signed by the intermediate, exported to the client and stored in personal and trusted root and still get "Required client certificate not found"

Am I doing something wrong?

Thanks,

Luke.

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Thu, 14 Mar 2019 15:56:49 GMT

do you get the same error when you browse https to the portal address

Re: GlobalProtect Client Certificate not Found

LukeBullimore — Thu, 14 Mar 2019 16:12:57 GMT

Hey @Mick_Ball

I do, yes.

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Thu, 14 Mar 2019 16:37:03 GMT

could you check the client machine cert to ensure it has something in the subject field.

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Thu, 14 Mar 2019 16:40:32 GMT

also lokk in IE under options/content/certificates just to make sure you can see this cert if you import to the users personal store.

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Mon, 18 Mar 2019 11:15:16 GMT

@LukeBullimore , did you manage to sort this out...

the reason i ask is that i too am having issues with cert auth on V8 whereas i had no issues on V7.

i cannot get basic cert auth working, never mind the pre-logon stuff...

Re: GlobalProtect Client Certificate not Found

LukeBullimore — Mon, 18 Mar 2019 11:25:43 GMT

Hey @Mick_Ball

I cannot get this to work either, basic cert auth.

I even had a scenario with a proper PKI setup and even then it wasn't working. There must be something I'm missing here!

Re: GlobalProtect Client Certificate not Found

xen-pv — Mon, 18 Mar 2019 12:14:57 GMT

Hey @LukeBullimore

Been away for abit..

I have set up a working solution in 8.0 and 8.1 with only certificates. Also used certificates from an internal PKI, but that should not matter if you have exported the certificates to your client in the correct way.

How is your certificate-profile setup?

Is the UserName-filed set to subject-alt and Principal Name?

You could try to set it up with simple logon with local-accounts to starts with. When you have verified that you can connect to both Portal and Gateway you can go ahead and change the authentication on the Portal to only the certificate-profile. When that is in place you can also verify that pre-logon is working.

/xen-pv

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Mon, 18 Mar 2019 13:37:30 GMT

@xen-pv , Hi.

I am also having the same issue, i just need cert auth for portal only.

I have it configured on 7.1.15 for GlobalProtect using both PKI for windows users and Self Signed for IPad users.

I am doing exactly the same process on 8.0.10 but cert auth is failing, @LukeBullimore seems to be having a similar issue so I'm also sure i've missed something simple....

I have generated a self cert, as a CA.

I have then generated a user cert signed by the above and entered a CN.

i have exported/imported as PKCS12 onto my laptop user store.

I have a cert profile set to subject common-name and added this profile to my portal auth page...

this is a replication of what I have done on 7.1x so completely stumped.....

thanks in advance

Re: GlobalProtect Client Certificate not Found

xen-pv — Mon, 18 Mar 2019 14:08:33 GMT

@Mick_Ball If you are only using the certificate-profile on the portal - set Username-field to "None" and only add the root-certificate to the profile.

UserName-field is only needed if you are authenticating to the gateway with a certificate as well. Subject us pulled from the certificate and is used as the "Username".

I am normally setting it up with certificate-profile on the Portal and LDAP with SSO on the gateway witch do not require that any information is pulled from the certificate.

As ive set up the certificates:

1. Imported Root CA and marked it as "Trusted"'

2. Imported Intermediate CA that is signed by the Root CA

3. Made sure client has a machinecertificate (In Personal Computer store) that is signed by the Intermediate CA

4. Made sure the client has the Root CA & Intermediate in the local certificatestore

5. Create Certificate Profile, set the Username-Field to None, add the Root CA

6. Add the Certificate Profile to the Portal and commit

I have not set it up on 7.1 before, so not sure what the difference could be.

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Tue, 19 Mar 2019 09:12:32 GMT

@xen-pv , Hi, thanks for the info..

i think we need to go back a step here as I seem to have jumped into @LukeBullimore's call.

he logged a call regarding pre-logon, i suggested he just tried to get basic auth working first with certificates and he was unable to do this, i also tried to do this from scratch to explain exactly how I did it but it also failed for me yet I have been using it for many years on Windows (cert only) and IPad (cert and ldap).

so, i am not using it for pre-logon and i do need the subject set in the cert profile as this CN determines which portal app config they get..

so to test, as i always have done is to just browse to the portal.

on my V7.x all is OK but on my 8.0 and above it fails so I am deffo missing something obvious.

thanks again for your time and sorry for the confusion...

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Tue, 19 Mar 2019 11:24:28 GMT

OK it seems that I had the same CN in my forward trust as i had in my trusted root CA for client certs, not sure why this would cause an auth fail as i clearly stated the trusted root CA in my cert profile.

I created a new root CA with a different CN ( a secondary ip interface) and all certs work for both portals and gateways.

@LukeBullimore , not sure how your getting on but will be happy to post step by step config for cert auth if required, cant help with pre-logon as don't use it.

Laters...

Re: GlobalProtect Client Certificate not Found

LukeBullimore — Tue, 19 Mar 2019 13:58:23 GMT

Hey Mick,

I actually was doing the same thing with ForwardTrust and that mine would be fixed as with yours but unfortunately not.

I have:

Self signed Root and Intermediate Certificate on FW which are added to cert profile

Certificate signed by intermediate imported onto client machine in Personal and Trusted Root stores

Still get the client certificate not found, what am I doing wrong!!

Re: GlobalProtect Client Certificate not Found

Mick_Ball — Tue, 19 Mar 2019 14:02:39 GMT

Luke, Hi.

firstly mine is signed by the root, i dont have an intermediate, never needed it...

secondly.. are you exporting client cert with PKCS12 format