topic Re: Cannot install Machine Certificate for GP Pre-logon in General Topics

Cannot install Machine Certificate for GP Pre-logon

FarzanaMustafa — Thu, 25 Feb 2021 02:59:01 GMT

I encountered a problem installing the machine certificate.

I followed the article below:

https://live.paloaltonetworks.com/t5/news/globalprotect-pre-logon-authentication/ta-p/322237

We are using a self-signed root ca that is in the cert profile for auth, then generated the server cert and machine cert and signed them with the same root. Then export as pks12.

In the Certificate Profile, I changed the Username Field type from 'None' to 'Subj'.

Made sure I selected the Computer account (default is user account) and cert is in folder "Personal" there.

Tried the MS fix but no luck.

https://social.technet.microsoft.com/Forums/en-US/50bd9c7c-faaa-46e3-b9a4-a2bb885b180d/unable-to-import-certificate-p12-or-pfx-file?forum=winserver8gen

Please help!

Re: Cannot install Machine Certificate for GP Pre-logon

Mick_Ball — Thu, 25 Feb 2021 06:18:24 GMT

Hi @FarzanaMustafa .

have you tried to install the same certificate into the user personal store of the same device or into another device that is not controlled by group policy etc.

this will not fix the issue but you need to first discover if this is a problem with the certificate or the installation process.

has your root CA been used to generate other successful client auth certs?

Re: Cannot install Machine Certificate for GP Pre-logon

FarzanaMustafa — Wed, 03 Mar 2021 03:42:22 GMT

@Mick_Ball Thank you so much for your guidance.

The Gateway is now working. Any idea how to check evidence of client cert checks being performed? ie.

How can I validate if the user is authenticated with the pre-logon feature?

Re: Cannot install Machine Certificate for GP Pre-logon

Mick_Ball — Wed, 03 Mar 2021 13:01:22 GMT

check the gateway current users. add "pre" to the search, this is what you will se before the user connects.

you can also check the previous user tab with pre.

Re: Cannot install Machine Certificate for GP Pre-logon

FarzanaMustafa — Fri, 12 Mar 2021 05:32:58 GMT

Hi @Mick_Ball

Sorry for the delayed response and thank you once again for your great inputs.

When I'm logged out from the workstation the pre-logon user is not showing in the gateway. I can see it in the Previous User tab.

However, on the KB article of PA it says:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

Could you please endorse my concern with the relevant PA Team?

Re: Cannot install Machine Certificate for GP Pre-logon

Mick_Ball — Fri, 12 Mar 2021 10:49:00 GMT

something seems to be wrong with your configuration as when I log off my workstation the existing (not previous) connection changes to pre-logon and reverts to my name when i log back in.

can you post exactly what you have in the gateway config...

Re: Cannot install Machine Certificate for GP Pre-logon

Mick_Ball — Fri, 12 Mar 2021 11:02:40 GMT

Re: Cannot install Machine Certificate for GP Pre-logon

FarzanaMustafa — Wed, 17 Mar 2021 00:23:55 GMT

Thank you so much for your guidance.

I checked the GP GW config and removed the cert from Certificate Profile. It worked!

May I ask what was the problem?

Re: Cannot install Machine Certificate for GP Pre-logon

Mick_Ball — Wed, 17 Mar 2021 09:28:57 GMT

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.