GlobalProtect reports Machine Certificate (null) but it isn't...

Reply
Highlighted
L2 Linker

GlobalProtect reports Machine Certificate (null) but it isn't...

Hey all,

Recently upgraded to PAN-OS v9.0.3 and GlobalProtect is no longer working for some.  Error messages in the system logs are showing GlobalProtect portal client configuration failed...  Machine Certificate CN: (null) for those that fail but also Machine Certificate CN: (just a blank here) for those that are successful.  This is intermittent and is affecting roughly 25% of our corporate users.

I'm guessing "Machine Certificate" is a general term PA uses since there is no mention in the system logs of a "Client or User Certificate".  We employ user certificates, not machine certificates.  We have our portal configured to use User Certificates.  We also have our Gateway and Portal configured to "Allow Authentication with user credentials OR Client Certificate".  This only works IF we delete the client certificate on the endpoint, then they are able to login using only credentials.  If we leave it in the OR position it seems to ignore the or and automatically fail with user credentials alone.

Our certificate profile is setup to use the Subject Alt. Name / Principal Name for the username, which matches what's contained within the certificate which matches LDAP / AD.

We do have a case open with Palo Alto.  1st response was that the CN can no longer be null - our logs say different, and the 2nd response was to try an older GP Agent, which we're in the process of.

We've tried deleting the certificate on the failing client machines and re-issuing them - this doesn't work.

A couple of our clients that were originally experiencing issues magically started working.

Just wondering if anyone else has encountered something similar and / or has any suggestions.

 

Thanks,

cfowler

L7 Applicator

Re: GlobalProtect reports Machine Certificate (null) but it isn't...

@fowlerca,

There are a number of known GP bugs in 9.0 code yet, so the fact that you are running into issues is not suprising. I would recommend logging a ticket with TAC so they can pull the logs and get it to the proper groups to get it fixed. 

 

FYI:

9.0 is not yet a recommended release, and short of needing a feature present within 9.0 I would not yet have installed this in a production environement. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!