GlobalProtect - PW Prompt when LDAP Auth is down.

Reply
Highlighted
L2 Linker

GlobalProtect - PW Prompt when LDAP Auth is down.

Hi all,

 

 

 

I tried support on this, didn't get much help.  I am using PANOS 7.0 and GlobalProtect 2.2.1

 

 

 

I have a couple hundred GlobalProtect clients using Windows.  I am using pre-logon (always on) with LDAP authentication.  The goal is to have the GlobalProtect clients to stay connected to the gateway at all times, or keep trying to connect until a gateway becomes available.  

 

The boxes auto-connect and auto-reconnect on their own 95% of the time.  However, in an event where the LDAP servers go down (i.e. maintenance or interruption), the user is prompted for a password even though pre-logon is being used and the user has selected "Remember me" within the client.  Please note, I am using certificates for pre-logon, but I can not use SSO.  

 

I have included a screenshot of the issue.  ANY HELP is appreciated.  

 

Client configsnippet1.png

 

snippet2.png

 

Error on client:

snippet3.png

 

L5 Sessionator

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

If the LDAP server is down then how the firewall will authenticate.  As the LDAP is down so authentication fails so firewall is asking for credentials again. 

L7 Applicator

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

How about setting up multiple ldap servers for redundancy? This way you can reboot one or more and still retain functinality.

L2 Linker

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

I am not sure if I understand what you mean by the firewall authenticating.  If you are referring to the admin login for the firewall that uses local authentication, not LDAP.  

 

What I am striving for is a truely "always on" solution.  In my view, when pre-logon says "always on" it should never ask the clients for credentials when the authentication server is down.

 

 

L2 Linker

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

Thanks for the reply.  I appreciate the recommendation.  We currently have two LDAP servers.  We have seen a couple of situations where the communication between the LDAP server and the clients becomes interrupted for one reason or another.  

 

I am wondering if there is some sort of registry setting for the Windows GP clients... something to supress the prompt?

Community Manager

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

pre-logon vpn is a partial vpn that would allow a user to load logon scripts etc while the workstation boots into normal operational mode. This access is granted with a decreased level of authentication.

Once the logon sequence completes the user will always be required to 'make himself known' by authenticating. the pre-logon vpn mode cannot be used while in normal windows 'desktop' mode.

 

To get around this you could try using an authentication sequence in the gateway configuration' authentication (instead of a single ldap profile) where two ldap profiles provide redundancy


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

That makes sense.  I am wondering though why the client prompts for a password even though the client has checked off "remember me."

 

 

Community Manager

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

that may require a little more troubleshooting, you'll first want to figure out what is happening to the ldap exactly.

you could set up an wireshark on the ldap server or run a tcpdump on the firewall while testing a failed connection like this. maybe the ldap does respond to the authentication but in an unexpected way, making the Gateway reprompt the user for credentials because it thinks the authentication failed.

 

the user/pass prompt would typically appear if something like that happens or if the password is changed or expired. GP debug log may help shed some light on this as well


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

I've opened this as a case with Palo Alto.  I will post my findings.

L3 Networker

Re: GlobalProtect - PW Prompt when LDAP Auth is down.

I point my ldap server at the root domain and not a single server, so it is setup as ldap server : corp.firm.local and it works without problems, the client querys whatever domain controller it can find.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!