Always On Global Protect and file share access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Always On Global Protect and file share access

L3 Networker

I now have GP connected automatically with a certificate pushed out via InTune. This is on a Surface Laptop running Win 10. I typically log in with face recognition. After I log on and notice that I have TCP/IP access through the GP connection and internal DNS is working - I am trying to then go to a file share. \\whatever\sys$\whichever say. I am then prompted for my credentials and a note is there "The system cannont contact a domain controller to service the authentication request." I have no thought why it can't find the DC. To work around this click "Use a different account" and enter my work email and password.This is the same email as the one associated with my face recognition. But after I login through using this "Other User" I then have access to the file share. I checked cmd/set user and that looks the same before my "Other User" login as after. Any ideas appreciated!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

biometric logon doesn't pass along SSO credentials, it simply allows you access to the desktop, which could be an issue for GP

 

check out this article: Biometric Sign-In Support (paloaltonetworks.com)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

biometric logon doesn't pass along SSO credentials, it simply allows you access to the desktop, which could be an issue for GP

 

check out this article: Biometric Sign-In Support (paloaltonetworks.com)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

That was it. Thank you!

Hi @reaper 

Actually we use SAML to explicitly enable single sign on for the users. Yes, this is not integrated functionality of global protect, but it does the job perfectly well. With this it is possible to use biometric logon (Windows Hello) and with SAML to an ADFS server or Azure AD it is possible to have single sign on there for the users. And we use this also with pre-logon (Just because in the linked article in the table it shows it works only with on-demand connections and SAML is not supported)

Ooh! Do you have that documented anywhere? My org's windows guys are eager to implement WH but GP is a showstopper right now. 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper not yet ... maybe this would be an idea for an article that I could create 😉

PS: With this solution it is not possible to use the global protect login option on w10 ... just in case this wasn't clear already

  • 1 accepted solution
  • 3334 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!