Kerberos SSO with Globalprotect and User-Logon

L4 Transporter

Kerberos SSO with Globalprotect and User-Logon

Hi Community,


I have a strange problem with Kerberos SSO and Globalprotect 4.0.7:

I set up Kerberos SSO and the SSO is working.

If you connect to the Globalprotect-Portal via browser, you directly get a Kerberos ticket and the SSO works.


If you logout from Windows 10 and you login again, you have a Kerberos-Ticket assigned, but the global protect client doesn't automatically connect to the portal. The form data are already filled up with portal address and username - but the user-id is only shown on the PA, after manually clicking to connect.


Does anybody has an idea what the reason for this behavior might be?

Can anyone confirm, that my planned setup is working in general: User logs in to Windows, Global Protect automatically connects via Kerberos SSO with the internal gateway?


I'm looking forward to your feedback.

L4 Transporter

Re: Kerberos SSO with Globalprotect and User-Logon


I have an update regarding this issue: 
For user identification, the DC server monitor was in use as well.
The SSO with kerberos works, but instantly after the login, the security log is read and the user-id entry gets overwritten.


I checked that by "show user ip-user-mapping all" and after the logon, the type was AD, not GP.

It seems we are to slow - anyway I would be happy if someone could confirm my finding.


Best Regards


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!