Global Protect client certificate auth Current User Vs Local Computer Store

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect client certificate auth Current User Vs Local Computer Store

L4 Transporter

Having some trouble with a generalized  single certificate (wanting to use as part of user/pass authentication)  across multiple machines.  Wanting to require this certificate be on a machine and the user enter their user/pass combination for authentication to portal/gateway (not user/machine specific cert).  Not doing prelogon at this point.    I can add this exported certificate into the Certificates (Local Computer) /Personal AND Trusted Root store ....all day long....and it makes no difference.   

I can even specify in the portal agent config to use 1.3.6.1.5.5.7.3.2 for an OID- and also ensure that both  Client certificate store look up - both "user and machine" is set on the portal...still nothing.

 

The only way I can get this to successfully work, is by placing the exported certificate into the Certificates -Current User - personal - store. ...then everything works perfectly.    It's almost as if windows clients have issues accessing the machine store when a user is logged in?  Anyone have experience with this, or something along these lines?

 

Maybe @Mick_Ball  answered part of this already below:

https://live.paloaltonetworks.com/t5/General-Topics/Does-Pre-logon-for-Global-Protect-use-the-Comput...

 

MS seems to hint at the fact that any machine store cert in the trusted root will be mirrored to the current user store trusted root- but NOT the Current User Personal:

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-cer...

"Be aware that all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."

 

 

Does a generic certificate have to be installed for every user under their current user personal certificate store?

25 REPLIES 25

I’m using the snap in on the machine that I am on(testing to ensure this works on my machine first). The ca cert is staying on the firewall, and the subservient cert is getting exported with its private key to the local computer store. I’m adding the cert profile through the portal authentication tab. So I have the regular ldap authentication in the main section, and then in the drop down below it I’m adding the cert profile that uses the ca of the exported (with private key)subservient certificate. The subservient cert is getting exported as pkcs12, with a password set on it. Is that the way it should be done?

@Mick_Ball Impressed with your level of response here. Thank you

Hey no problemo....

 

its a shame the messaging service is not working on this site as could send you one of my certs for you to test against my lab portal...

 

i have logged this as a fault so fingers crossed...

I'm not sure I understand?  yeah, i noticed this site's direct messaging appears broken...so you think it may be a certificate issue itself?

Not sure, kinda running out of ideas...   at least that test would tell us if cert issue or windows issue.

 

going through post again...from the start did you generate a self signed root ca that is in the cert profile for auth, then generated the user cert and sign it with the same root. Then export as pks12.

@Mick_Ball 

 

I reviewed your post, and double checked everything.  Thank you for the replies.   I found that the agent itself works when I install to (Local Computer)-Personal.  This appears to work for the global protect agent flawlessly.  It's a bit misleading to me though, as when I try to browse directly to the portal (which I was originally trying to do) I get a warning that says "Valid client certificate is required" (and an auth failure, if typing in known good credentials)- however,  the Global protect agent itself works perfectly.   This must be because I'm launching a web browser as a current user of the computer, and the GP agent has access to a different store? 

 

This is where my confusion was all along.  How could I be getting a warning "Valid client certificate required" - and denied authentication, when web-browsing to the portal, if I wasn't missing the certificate?  Well, the GP agent says otherwise.

 

If this is the case, how are people using the portal to allow machines that may not have the agent (someone inside the org, but offsite), to web browse to the portal, download the agent and install it?  I'm guessing using a publicly signed CA certificate may solve this issue? Or maybe they are just requiring the certificate authentication on their gateways and NOT the portal?

Ok glad its working but you should still see the computer store from your browser.

 

the rules are as follows.

 

  • Local machine certificate store

    This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.

  • Current user certificate store

    This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

 

as a test why not open regedit as the user and see if you can view the local machine store...  if you cannot then something strange is going on.  If you can then it must be the browser.   What browser are you using.

 

i always test my certs with IE. As much as i hate it it is still the most popular.

I think only IE and Edge use the local comp store. Chrome has a plug in and Firefox will fail miserably...

 

Edited....

Yes, I can see the Local machine store in regedit.   When browsing (using edge/IE) to the portal though, I'm still seeing a warning about "valid client certificate required".   I'll test on a couple of machines tomorrow and reply to this thread.  I know I can fix the problem by installing the certificate in the (current user) personal store, but I'll see if I can work around it on some test computers.

 

So your saying that organizations will use cert based auth even on the portal?  I'm finding I can make a second CA with a completely different intermediate cert, and use that in the certificate profile, and use that for certificate auth, and that works as well for the GP agent.  But NOT when I browse to the portal   

 

So it's down to the browser and the cert store?

Ok catch up tomorrow but not sure where the intermediate cert is required for this.

 

could it also be that as you have been messing with certs that ie is using one that it thinks it should use but its the wrong one.

 

yes i would have a play on a fresh device and remove all personal certs from user store.

 

good luck....

@Mick_Ball 

 

Thanks for all the replies.   Definitely a help to the community!  Thank you!!  I would say this problem is solved.  

  • 11338 Views
  • 25 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!