I imported the root CA cert from our Windows PKI into our Palo, created a subordinate CA cert on the Palo under that, an SSL cert under that that is working to authenticate SAML with Azure AD which was configured with a cert from the same root CA. This is for the user tunnel of GlobalProtect. Our Windows CA is issuing machine/personal store certs to our PCs, but GlobalProtect prelogon isn't successful in using these certs to authenticate a machine tunnel. Manually exporting the Subordinate CA cert from the Palo an importing it into a PC works, but this isn't a scalable solution. The machine certs that are being issued to PCs have the machine name in the Subject of the certs and client authentication in it's attributes. The only red flag I see is that the issuer of the machine certs has the distinguished name for the CA, wheras the root and subordinate certs on the Palo only have the common name of the CA. I have a ticket submitted to Palo support and a techinician has helped me get to this point, but progress slowed and I am hoping others in the community might have some suggestions based on their own experience.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!