topic Re: GlobalProtect Portal - No certificate profile configured, but prompt for certificate in General Topics

GlobalProtect Portal - No certificate profile configured, but prompt for certificate

Chacko42 — Fri, 07 Jun 2019 08:13:18 GMT

Hi Community,

I got a strange problem and want to hear, if someone got the same.

We got a Panorama managed PA-3220 PAN-OS 8.1.7 with GlobalProtect portal, external gateway (which share the same IP) and an internal gateway.

The external gateway got a certificate profile defined, the portal not.

If I open the Webpage, the Portal prompts for a certificate - the same does the GP-client (4.1.12).

I cannot find any issues in the KB or release notes.
A colleague of mine experienced a similar issue and deleted the portal & gateways and configured that new - then it worked.

The configuration looks good (checked with AutoAssistant and XML-configs).

Looking forward to your feedback.

Best Regards

Chacko

Re: GlobalProtect Portal - No certificate profile configured, but prompt for certificate

S.Cantwell — Fri, 07 Jun 2019 14:22:46 GMT

Well, as a 7 year instructor, the requirement (not recommendation) is that the portal NEEDS to have a certificate (preferably publically signed).

The field below (in yellow) is a REQURED field. Not sure how you are programing a portal without a certificate profile.

It should be the same SSL/TLS profile that is being used by the Gateway.

Before you can configure the GlobalProtect portal, you must complete the following tasks:

Create the interfaces (and zones) for the firewall interface where you plan to configure the portal. See Create Interfaces and Zones for GlobalProtect.
Set up the portal server certificate, gateway server certificate, SSL/TLS service profiles, and, optionally, any client certificates to deploy to end users to enable SSL/TLS connections for the GlobalProtect™ services. See Enable SSL Between GlobalProtect Components.
Define the optional authentication profiles and certificate profiles that the portal can use to authenticate GlobalProtect users. See Authentication.
Configure a GlobalProtect Gateway and understand Gateway Priority in a Multiple Gateway Configuration.

Please feel free to respond back to better clarify what you are trying to do.

Re: GlobalProtect Portal - No certificate profile configured, but prompt for certificate

Chacko42 — Fri, 07 Jun 2019 14:57:53 GMT

@S.Cantwell: I agree, but I really mean the certificate profile, not the tls service profile.

Re: GlobalProtect Portal - No certificate profile configured, but prompt for certificate

S.Cantwell — Fri, 07 Jun 2019 16:20:24 GMT

Howdy again!

I think we (who are reading these messages) are getting just superficial info. We need more details about your configuration setup. I am an instructor who teaches and does PS for my company, so I am pretty familiar with the setup.

Is this a new configuration, or something broke?

Are you doing client certificates for authentication? This would be one reason why a request for a cert (probably machine cert would be requested. Do you have "on-demand" or (always-on) in your configuration for your user.

Thanks.

Re: GlobalProtect Portal - No certificate profile configured, but prompt for certificate

Chacko42 — Fri, 07 Jun 2019 16:34:31 GMT

@S.Cantwell:

It's a new installation.
public portal requires an authentication sequence (primary kerberos, secondary ldap) and got two configs:
1st config is user logon (always on) for only a ldap group "vpn-users" and deploys the internal gateway for SSO and the external gateway. 2nd is user logon (always on) for everyone else, which deploys only the internal gateway for user id information.

The external gateway requires a user certificate and ldap for authentication.
The internal gateway got an auth sequence (primary kerberos, secondary ldap).

This setup is my default and works fine with several customers, so I'm confused, why the portal is prompting for a certificate, because no certificate profile is required for the portal.

I already opened up a case with TAC, but I'm interested in this now, and want to understand the issue and find a solution.

AutoAssitant does not see any issues regarding configuration.

Two strange bevahiors:
1. clients get promptet for user cert when accessing portal (doesn't matter if web-portal or GP client).

2. After connecting to portal, the FW logs a failed kerberos auth for user '' but, there is no Kerberos traffic sent from the client. The GP client logs match this and show a failed authentication for ___empty-user____

Everything except for Kerberos SSO (the reason I raised the TAC case) with credential provider worked fine, the both issues occured first, after changing the Kerberos config.

I noticed, that we use two SPNs, but had only one Auth-Profile for Kerberos - I missed to export a second keytab with the 2nd SPN.

AD looks fine, both SPNs are matched to the Palo service user, and the keytabs are looking good and where imported succesfully to the config.
1st auth profile Kerb-Ext-GW shows SPN "vpn.company.com" in keytab while 2nd auth profile Kerb-Int-GW shows SPN "gpgw.internal.local" as SPN

Already rebooted the firewalls and reinstalled the GP clients, but the behavior is persistent

Re: GlobalProtect Portal - No certificate profile configured, but prompt for certificate

soalridiudine — Thu, 16 Sep 2021 15:00:03 GMT

I am having the same problem but actually originated in different way.

I enabled and disabled the function (for testing purpouses) several times until, even if "Certificate Profile" is set no none, it still requires some undetermined sertificate from the VPN clients. I am forced now to leave it on to let people connect.

Luckily, it happened 3 days before the live of the feature.

In means though that I cannot disable the request for client certificates if I need to. I don't like it at all...