05-06-2021 10:50 PM
I now have GP connected automatically with a certificate pushed out via InTune. This is on a Surface Laptop running Win 10. I typically log in with face recognition. After I log on and notice that I have TCP/IP access through the GP connection and internal DNS is working - I am trying to then go to a file share. \\whatever\sys$\whichever say. I am then prompted for my credentials and a note is there "The system cannont contact a domain controller to service the authentication request." I have no thought why it can't find the DC. To work around this click "Use a different account" and enter my work email and password.This is the same email as the one associated with my face recognition. But after I login through using this "Other User" I then have access to the file share. I checked cmd/set user and that looks the same before my "Other User" login as after. Any ideas appreciated!
05-07-2021 03:49 AM
biometric logon doesn't pass along SSO credentials, it simply allows you access to the desktop, which could be an issue for GP
check out this article: Biometric Sign-In Support (paloaltonetworks.com)
05-07-2021 03:49 AM
biometric logon doesn't pass along SSO credentials, it simply allows you access to the desktop, which could be an issue for GP
check out this article: Biometric Sign-In Support (paloaltonetworks.com)
05-07-2021 06:33 AM
That was it. Thank you!
05-16-2021 10:25 AM
Hi @reaper
Actually we use SAML to explicitly enable single sign on for the users. Yes, this is not integrated functionality of global protect, but it does the job perfectly well. With this it is possible to use biometric logon (Windows Hello) and with SAML to an ADFS server or Azure AD it is possible to have single sign on there for the users. And we use this also with pre-logon (Just because in the linked article in the table it shows it works only with on-demand connections and SAML is not supported)
05-16-2021 11:15 AM
Ooh! Do you have that documented anywhere? My org's windows guys are eager to implement WH but GP is a showstopper right now.
05-16-2021 03:27 PM
@reaper not yet ... maybe this would be an idea for an article that I could create 😉
PS: With this solution it is not possible to use the global protect login option on w10 ... just in case this wasn't clear already
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
