GlobalProtect Single Sign-On does not Connect after Login

45395

Created On 09/26/18 13:51 PM - Last Modified 01/14/21 02:23 AM

Authentication

Deployment

VPNs

GlobalProtect

Prisma Access

Symptom

With GlobalProtect Single Sign-On configured, after the login to the Windows machine, the GlobalProtect connection might go down and not able to re-connect.

In case of using an external GlobalProtect Portal and GlobalProtect Gateway, a possible issue might be that during the initial GlobalProtect connection, the device is receiving information from a configured DNS server. This server may be resolving the external IP of the portal and gateway to an internal IP address. The new connection will fail due to a wrong DNS entry.
On Windows 8, Microsoft changed the login model to become user centric. This means that any user has the right to select which authentication method (tile) is used to authenticate on Windows. Windows or the user cannot be forced to use Palo Alto Network's GlobalProtect method by default, and the choice is entirely on the user. When GlobalProtect is being installed, it is made to be a default tile(login prompt for user) but upon restart Windows will remember the last tile user selected and will overwrite it.

The following resolutions correspond to the causes above:

To prevent this type of problem from happening, in case of external GP connection, the admin must be sure that the DNS server will not respond with an internal IP address for the portal and gateway. The external IP address, instead, is needed.
For Windows 8, the user must manually click the GlobalProtect pile at the Windows login prompt in order for the GlobalProtect connection to be successful.

For additional information regarding GlobalProtect and SSO, please refer to the following documents: