https://live.paloaltonetworks.com/t5/general-topics/globalprotect-reports-machine-certificate-null-but-it-isn-t/m-p/282324#M76081 <P>Hey all,</P><P>Recently upgraded to PAN-OS v9.0.3 and GlobalProtect is no longer working for some.&nbsp; Error messages in the system logs are showing GlobalProtect portal client configuration failed...&nbsp; Machine Certificate CN: (null) for those that fail but also Machine Certificate CN: (just a blank here) for those that are successful.&nbsp; This is intermittent and is affecting roughly 25% of our corporate users.</P><P>I'm guessing "Machine Certificate" is a general term PA uses since there is no mention in the system logs of a "Client or User Certificate".&nbsp; We employ user certificates, not machine certificates.&nbsp; We have our portal configured to use User Certificates.&nbsp; We also have our Gateway and Portal configured to "Allow Authentication with user credentials OR Client Certificate".&nbsp; This only works IF we delete the client certificate on the endpoint, then they are able to login using only credentials.&nbsp; If we leave it in the OR position it seems to ignore the or and automatically fail with user credentials alone.</P><P>Our certificate profile is setup to use the Subject Alt. Name / Principal Name for the username, which matches what's contained within the certificate which matches LDAP / AD.</P><P>We do have a case open with Palo Alto.&nbsp; 1st response was that the CN can no longer be null - our logs say different, and the 2nd response was to try an older GP Agent, which we're in the process of.</P><P>We've tried deleting the certificate on the failing client machines and re-issuing them - this doesn't work.</P><P>A couple of our clients that were originally experiencing issues magically started working.</P><P>Just wondering if anyone else has encountered something similar and / or has any suggestions.</P><P>&nbsp;</P><P>Thanks,</P><P>cfowler</P> Mon, 12 Aug 2019 20:27:16 GMT cafowler 2019-08-12T20:27:16Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-reports-machine-certificate-null-but-it-isn-t/m-p/282324#M76081 <P>Hey all,</P><P>Recently upgraded to PAN-OS v9.0.3 and GlobalProtect is no longer working for some.&nbsp; Error messages in the system logs are showing GlobalProtect portal client configuration failed...&nbsp; Machine Certificate CN: (null) for those that fail but also Machine Certificate CN: (just a blank here) for those that are successful.&nbsp; This is intermittent and is affecting roughly 25% of our corporate users.</P><P>I'm guessing "Machine Certificate" is a general term PA uses since there is no mention in the system logs of a "Client or User Certificate".&nbsp; We employ user certificates, not machine certificates.&nbsp; We have our portal configured to use User Certificates.&nbsp; We also have our Gateway and Portal configured to "Allow Authentication with user credentials OR Client Certificate".&nbsp; This only works IF we delete the client certificate on the endpoint, then they are able to login using only credentials.&nbsp; If we leave it in the OR position it seems to ignore the or and automatically fail with user credentials alone.</P><P>Our certificate profile is setup to use the Subject Alt. Name / Principal Name for the username, which matches what's contained within the certificate which matches LDAP / AD.</P><P>We do have a case open with Palo Alto.&nbsp; 1st response was that the CN can no longer be null - our logs say different, and the 2nd response was to try an older GP Agent, which we're in the process of.</P><P>We've tried deleting the certificate on the failing client machines and re-issuing them - this doesn't work.</P><P>A couple of our clients that were originally experiencing issues magically started working.</P><P>Just wondering if anyone else has encountered something similar and / or has any suggestions.</P><P>&nbsp;</P><P>Thanks,</P><P>cfowler</P> Mon, 12 Aug 2019 20:27:16 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-reports-machine-certificate-null-but-it-isn-t/m-p/282324#M76081 cafowler 2019-08-12T20:27:16Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-reports-machine-certificate-null-but-it-isn-t/m-p/282451#M76091 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/4129">@cafowler</a>,</P><P>There are a number of known GP bugs in 9.0 code yet, so the fact that you are running into issues is not suprising. I would recommend logging a ticket with TAC so they can pull the logs and get it to the proper groups to get it fixed.&nbsp;</P><P>&nbsp;</P><P>FYI:</P><P>9.0 is not yet a recommended release, and short of needing a feature present within 9.0 I would not yet have installed this in a production environement.&nbsp;</P> Tue, 13 Aug 2019 10:22:11 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-reports-machine-certificate-null-but-it-isn-t/m-p/282451#M76091 BPry 2019-08-13T10:22:11Z