GlobalProtect failed to connect - required client certificate is not found

Printer Friendly Page

 

Issue

You have configured your portal and gateway to use the authentication profile and certificate profile 2 factor authentication, but you see the below error message in the status page of the GlobalProtect client when try to connect the GlobalProtect on the client computer:

"Required Client Certificate is not found"

 

You also see this error message in the PanGP Service Log:

Debug(3624): Failed to pre-login to the portal XX.XX.XX.XX. Error 0

Debug(1594): close WinHttp close handle.

Debug(3588): prelogin status is Error

Error(3591): pre-login error message: Valid client certificate is required

Debug(1594): close WinHttp close handle.

Debug(4213): portal status is Client Cert Required.

Debug(3697): Portal required client certificate is not found.

 

Solution

These errors occured because there is no correct/valid certificate in the client computer.

The certificate imported to the client machine must match with the 'Server Certificate' in the portal and gateway setting.

In cases of self-signed certificates, the certificate will need to be imported to both personal and trusted root CA.

For instructions of how to import the certificate to the client computer, please click here and refer to step #2.

 

Follow these instructions to import the certificate in P12 format to the client computer (Windows Machine):

 

  1. Click Start > Run mmc.
  2. Click File > Add/Remove Snap-In.
  3. Select Certificate and click Add, and select Computer Account.
  4. Click OK.
  5. Now you can import the Certificate to 'Personal' and 'Trusted Root CA.'
Comments

Only works for me if I import the CA cert to Trusted Root CA. Importing the machine cert to Trusted Root CA doesn't help.

After reading three articles like this.. I'm beginning to think the terminology is wrong.

 

When I read the error: Required client certificate is not found..  I think it wants to authenticate with a client certificate.

 

But I think the error actually means the server certificate is not trusted.

 

Which is it..

 

And I want to use username/password..  not client side certificates for authentication..

Beyond that.. I don't want to import my internal CA cert to the OS's Key Management..  I don't want the OS trusting my internal CA for everything in the world..