https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405402#M92000 <P>I now have GP connected automatically with a certificate pushed out via InTune. This is on a Surface Laptop running Win 10. I typically log in with face recognition. After I log on and notice that I have TCP/IP access through the GP connection and internal DNS is working - I am trying to then go to a file share. \\whatever\sys$\whichever say. I am then prompted for my credentials and a note is there "The system cannont contact a domain controller to service the authentication request." I have no thought why it can't find the DC. To work around this click "Use a different account" and enter my work email and password.This is the same email as the one associated with my face recognition. But after I login through using this "Other User" I then have access to the file share. I checked cmd/set user and that looks the same before my "Other User" login as after. Any ideas appreciated!</P> Fri, 07 May 2021 05:50:13 GMT MichaelMedwid 2021-05-07T05:50:13Z https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405402#M92000 <P>I now have GP connected automatically with a certificate pushed out via InTune. This is on a Surface Laptop running Win 10. I typically log in with face recognition. After I log on and notice that I have TCP/IP access through the GP connection and internal DNS is working - I am trying to then go to a file share. \\whatever\sys$\whichever say. I am then prompted for my credentials and a note is there "The system cannont contact a domain controller to service the authentication request." I have no thought why it can't find the DC. To work around this click "Use a different account" and enter my work email and password.This is the same email as the one associated with my face recognition. But after I login through using this "Other User" I then have access to the file share. I checked cmd/set user and that looks the same before my "Other User" login as after. Any ideas appreciated!</P> Fri, 07 May 2021 05:50:13 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405402#M92000 MichaelMedwid 2021-05-07T05:50:13Z https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405452#M92009 <P>biometric logon doesn't pass along SSO credentials, it simply allows you access to the desktop, which could be an issue for GP</P><P>&nbsp;</P><P>check out this article:&nbsp;<A href="https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-released-in-gp-app/biometric-sign-in-support.html" target="_blank">Biometric Sign-In Support (paloaltonetworks.com)</A></P> Fri, 07 May 2021 10:49:01 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405452#M92009 reaper 2021-05-07T10:49:01Z https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405480#M92016 <P>That was it. Thank you!</P> Fri, 07 May 2021 13:33:11 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/405480#M92016 MichaelMedwid 2021-05-07T13:33:11Z https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/407135#M92205 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;</P> <P>Actually we use SAML to explicitly enable single sign on for the users. Yes, this is not integrated functionality of global protect, but it does the job perfectly well. With this it is possible to use biometric logon (Windows Hello) and with SAML to an ADFS server or Azure AD it is possible to have single sign on there for the users. And we use this also with pre-logon (Just because in the linked article in the table it shows it works only with on-demand connections and SAML is not supported)</P> Sun, 16 May 2021 17:25:23 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/407135#M92205 Remo 2021-05-16T17:25:23Z https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/407137#M92207 <P>Ooh! Do you have that documented anywhere? My org's windows guys are eager to implement WH but GP is a showstopper right now.&nbsp;</P> Sun, 16 May 2021 18:15:31 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/407137#M92207 reaper 2021-05-16T18:15:31Z https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/407139#M92209 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;not yet ... maybe this would be an idea for an article that I could create <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>PS: With this solution it is not possible to use the global protect login option on w10 ... just in case this wasn't clear already</P> Sun, 16 May 2021 22:27:04 GMT https://live.paloaltonetworks.com/t5/general-topics/always-on-global-protect-and-file-share-access/m-p/407139#M92209 Remo 2021-05-16T22:27:04Z