Global Protect "Single Sign on" with Windows Hello on Windows 10

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect "Single Sign on" with Windows Hello on Windows 10

L7 Applicator
Hi everyone,

I have a situation as described in the title of this post. As you probably know Global Protect installs his own Credential Provider in Windows which has to be chosen by the user. It is also possible to force the Global Protect Credential Provider, but the point is, it has to be used in order to enable single sign on for the user.

This now breaks the whole thing when combined with Windows Hello (Iris Scan, Fingerprint), because Windows Hello has his own credential provider. So in a default Global Protect configuration with pre-logon enabled (certificate profile and LDAPs authentication profile), either Global Protect single sign on or Windows Hello is working as expected:
- log in with GP CP: VPN single sign on is working but not Windows Hello
- log in with WH CP: Windows Hello is working but the user has to enter his credentials manually to Global Protect

To get the comfort of both worlds I was now thinking of a setup with the following requirements:
- Global Protect ONLY authenticates with a certificate profile
- User-ID Agents check Active Directory Logins for the VPN IP range
- Firewall is configured to get the User-to-IP mappings from the User-ID agent
- Firewall allows access to the AD (for logging in), antivirusupdates, windows updates to the pro-logon user
- all subsequent firewallrules are created for actual users, so they become "active" as soon the user-to-ip-mapping is known by the firewall

I have already tested this solution and it works as expected. Users can log in simply by "looking at their laptops" and there is no need to bother for reentering the credentials or making sure that Global Protect is set as default Credential Provider.

My question now for you all is: Am I missing some security issues with not using an authentication profile and relying on the login event in active directory?

Regards,
Remo
3 REPLIES 3

L7 Applicator

Hi Remo,

 

Potential workaround may be relying on Kerberos SSO. Users can perform Windows Hello to authenticate to the device (and AD/Kerberos), and then use Kerberos SSO to authenticate to GP. Some details are mentioned in the last comment of this post:

https://live.paloaltonetworks.com/t5/SME-GlobalProtect-Discussions/Is-it-possible-to-use-Windows-10-...

 

Thanks,

Nikola M

L3 Networker

Hi,

 

What did you end up doing? What authentcation profile did you use ldap or radius? Can I use radius?

 

Thanks

L0 Member

Hello Remo, 

I found what you have configured is very interesting, could you please  share how did you make all this configurations step by step with screenshot  ? 

  • 13272 Views
  • 3 replies
  • 5 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!