GlobalProtect Prelogon - using non-cached AD account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Prelogon - using non-cached AD account

L1 Bithead

So i 've been having some issues getting GP prelogon working correctly.  As of right now - GP will make the VPN connection before logon(i am able to ping my device prior to logon) and after i login with a cached account it maintains its VPN connection and i have full network access, no issues.

However, when i log in using a non-cached account - it creates a temp profile, while still maintaining the VPN connection.  I am under the impression that that prior to logon i have a network connection will full access(which i do) so i should be able to create a regular user profile.  My non-cached user account is obviously being authenticated but i am still getting a temp profile.    I do not see any errors in the system log and no traffic is being denied.  Only thing that sticks out is a few errors in the panGPS.log

(T2256) 07/09/15 13:05:41:193 Info ( 109): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T2256) 07/09/15 13:05:41:193 Info ( 157): connect() failed

(T2256) 07/09/15 13:05:41:193 Error(5765): Protocol error. Check server certificate. Failed to ssl connect to 'xx.xxxxx.com:443', Disconect ssl and returns false.

Which i don't understand because it still works technically. The server cert works fine i dont get any cert errors when i web browse to the address.  So any ideas on why i am getting a temp profile after i log in?

Thanks

7 REPLIES 7

L7 Applicator

Hi sross79

First I have some questions:

What OS are you using?

What version of GP Client do you have installed?

Are you able to ping the computer over the VPN connection during the whole loginprocess?

Is it possible to map the drive of the computer while it is connected and no user is logged in?

(I assume this is working when you log in with this particular user while the computer is located in your corporate network?)

Do you also checked the thead log for blocked connections?

Do you habe this error messages before or after the userlogin?

What you also could try if the connection is there without any deny entries in the log is decreasing the MTU size on the computer where you have installed GP.

Regards,

Remo

Hi thanks for the Reply - I actually got it create a standard profile now.  It was an error on my part. I incorrectly deleted the profile.  Once deleted some registry keys it worked correctly.

The problem I have now - is that it doesn't switch to the logged in user from Prelogon.

So Prelogon is working correctly - I can ping the device prior to logon and full network access.  After I login, the prelogon user is still being used and it does not SSO to show the logged in user.

Does a GP Login window show up after you are logged in completely? Did you configre the client config in the portal configuration to use SSO for this particular user or only for the pre-logon user?

Yea - the GP client does  run and say services connected after login.  I have one portal client config for prelogon  configured for ANY user/user group with SSO enabled

My thinking is that because of the user account im testing with did not initially download the config settings it doesn't have a cookie but I thought if SSO is enabled it passes the user credentials used during login to the GP client.

Depends on what login credential provider you used for logging in. This problem I had also  that it didnt pass the credentials even I had SSO configured

Not sure I follow - what do you mean login credential provider? Just windows 7 login screen

I think Palo creates his own login credential provider. So you have to make sure that you use the Global Protect login credential provider in order to make SSO work.

On this picture you should see what I mean:

cp-tiles.jpg

  • 4979 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!