topic Re: GlobalProtect with machine cert in General Topics

GlobalProtect with machine cert

ce1028 — Fri, 10 Apr 2020 16:07:45 GMT

Hi,

I'm having a challenge with GlobalProtect when trying to do ldap authentication with a machine cert (from internal MS pki). I've tried both the computer and workstation authentication template, but neither worked. GlobalProtect states certificate is missing. I'm not doing pre-logon, I have GP set to always on. In GP portal app setting, I have the client certificate store check set to machine. Is this not supported or am I missing something else?

As a test, i deployed a user certificate from the same MS pki, set GP client store to be user and that works as expected

Re: GlobalProtect with machine cert

Mick_Ball — Fri, 10 Apr 2020 16:45:22 GMT

Certificates in the machine store does work, perhaps its the type of certificate you are using,. You say you have a user cert that works in the user store, try importing this to the machine personal store and see what happens.

also... import the machine cert to the user store to see if it accepted. If not then probably wrong type of cert.

Re: GlobalProtect with machine cert

ce1028 — Fri, 10 Apr 2020 17:50:00 GMT

@Mick_Ball

Thanks for the reply. I'm not sure its the type of cert that I'm using, as both templates that I have tried are computer certs.

I can try moving the user cert to computer store, but not really going to help me determine what the problem is

Re: GlobalProtect with machine cert

Mick_Ball — Fri, 10 Apr 2020 18:10:19 GMT

There is a difference in windows world between machine certs and user certs.

We use user certs for GP and computer certs for network access control on our lan switches.

the computer cert cannot be used for GP auth.

so if you move the user cert into the computer store this will prove my limited theory.

i think the app setting means look in both places rather than user or machine actual cert.

Re: GlobalProtect with machine cert

ce1028 — Fri, 10 Apr 2020 20:07:40 GMT

@Mick_Ball ah thanks. That would explain it, but also would be useless for me. I'm trying to use computer certs that way regardless of user, the machine would have a cert.

Windows won't put a user cert in the computer store on its own, but I will definitely try your suggestion to see. Thanks!

Re: GlobalProtect with machine cert

Mick_Ball — Sat, 11 Apr 2020 07:28:24 GMT

Yes I only suggest putting the user cert into the computer store to just make sure all of your GP stuff is set and working correctly.

if this proves successful then start looking at the difference between user and computer certs.

I'm sure that the default AD template for machine certs do not populate the subject field and although you can set your Palo certificate profile "Username" field to "None" I don't think GP will validate a certificate without the subject field populated.

Re: GlobalProtect with machine cert

ce1028 — Sun, 12 Apr 2020 01:38:25 GMT

@Mick_Ball

Edited my post. I was able to get it to work. It was a configuration issue in my lab. I set the computer template to include a subject and worked like a charm.