topic Re: How to connect users to their domain via GlobalProtect in General Topics

How to connect users to their domain via GlobalProtect

FarzanaMustafa — Fri, 11 Dec 2020 03:45:02 GMT

Hello,

We need a solution to join the users first to their Domain via Global Protect and after that client MUST be able to reset/change their password.

We were thinking of using Pre-logon, however, this requires machine certificate and customer is not willing to spend anything on this.

Is there a way to implement the request? Kindly provide some KBs as well.

Thanks in advance.

Re: How to connect users to their domain via GlobalProtect

BPry — Fri, 11 Dec 2020 04:13:30 GMT

@FarzanaMustafa,

The actual computers will already be joined to the domain correct? I'm assuming that the answer to this is yes, because otherwise this really isn't going to work regardless of what you do.

If they aren't willing to pay for the time needed to do a proper pre-logon configuration, you could always use the new GlobalProtect 5.2 agent and Connect Before Logon (CBL). Essentially this acts the same as the old SBL configuration with AnyConnect if you are familiar with that. It allows a user to manually initiate a VPN connection connection prior to logging into the system. That sounds like it would meet all of your requirements you listed.

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/deploy-app-settings-to-windows-endpoints/deploy-connect-before-logon-settings-in-the-windows-registry.html

Re: How to connect users to their domain via GlobalProtect

upelister — Sat, 12 Dec 2020 08:37:08 GMT

Hello,

- IF computers are already joined to the domain, cookie authentication can be used with "pre-log on (allways on)" feature without using client certificate.

- This config must be used alongside other authentication mechanisms like "LDAP". In order to client receives the cookie.

With this config A cookie will be generated by firewall and sent to client profile folder under "%LocalAppdata%/Palo Alto Networks\GlobalProtect\" with <somenumerbers>.dat file.

-So within the cookie lifetime client can be connect to gateway as pre-log on state and the can change their password.

I used this articale;

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

Have a nice day.

Re: How to connect users to their domain via GlobalProtect

135267895 — Sat, 12 Dec 2020 12:01:43 GMT

Hi I have trouble creating my account please help

Re: How to connect users to their domain via GlobalProtect

S.Cantwell — Sat, 12 Dec 2020 16:17:53 GMT

Hello @FarzanaMustafa

If the user is part of a Windows Domain network, the machine is cert is FREE. It should be deployed to the user PRIOR to even having GP on the computer. Once a machine cert, signed by the ECA (enterprise CA), then the user can do auth with a machine cert. No cost involved.

Re: How to connect users to their domain via GlobalProtect

jdelio — Mon, 14 Dec 2020 22:14:59 GMT

@135267895
Which account? looks like you are logged into this LIVE account and posting a message.

Re: How to connect users to their domain via GlobalProtect

135267895 — Fri, 18 Dec 2020 04:54:27 GMT

Yes but when i want to create account it says contact support what can I do I'm lost