cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot install Machine Certificate for GP Pre-logon

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot install Machine Certificate for GP Pre-logon

Go to solution
FarzanaMustafa
L4 Transporter

‎02-24-2021 05:03 PM - edited ‎02-24-2021 06:59 PM

I encountered a problem installing the machine certificate.

ERROR.png

I followed the article below:
 
We are using a self-signed root ca that is in the cert profile for auth, then generated the server cert and machine cert and signed them with the same root. Then export as pks12.
In the Certificate Profile, I changed the Username Field type from 'None' to 'Subj'.
Made sure I selected the Computer account (default is user account) and cert is in folder "Personal" there.
 
CERT.jpg
 
Tried the MS fix but no luck.
 
Please help!
 
 
1 person had this problem.
0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MickBall
L7 Applicator
In response to FarzanaMustafa

‎03-17-2021 02:28 AM

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.

 

View solution in original post

8 REPLIES 8

Go to solution
MickBall
L7 Applicator

‎02-24-2021 10:18 PM

Hi @FarzanaMustafa .

have you tried to install the same certificate into the user personal store of the same device or into another device that is not controlled by group policy etc.

 

this will not fix the issue but you need to first discover if this is a problem with the certificate or the installation process.

 

has your root CA been used to generate other successful client auth certs?

0 Likes Likes

Go to solution
FarzanaMustafa
L4 Transporter
In response to MickBall

‎03-02-2021 05:22 PM - edited ‎03-02-2021 07:42 PM

@MickBall Thank you so much for your guidance.

 

The Gateway is now working. Any idea how to check evidence of client cert checks being performed? ie. 

How can I validate if the user is authenticated with the pre-logon feature?

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to FarzanaMustafa

‎03-03-2021 05:01 AM

check the gateway current users. add "pre" to the search, this is what you will se before the user connects.

you can also check the previous user tab with pre.

 

MickBall_0-1614776470333.jpeg

 

0 Likes Likes

Go to solution
FarzanaMustafa
L4 Transporter
In response to MickBall

‎03-11-2021 09:32 PM

Hi @MickBall 

 

Sorry for the delayed response and thank you once again for your great inputs.

 

When I'm logged out from the workstation the pre-logon user is not showing in the gateway. I can see it in the Previous User tab.

However, on the KB article of PA it says:
 
Pre-logon.jpg
 
Could you please endorse my concern with the relevant PA Team?

Go to solution
MickBall
L7 Applicator
In response to FarzanaMustafa

‎03-12-2021 02:49 AM

something seems to be wrong with your configuration as when I log off my workstation the existing (not previous) connection changes to pre-logon and reverts to my name when i log back in.

 

can you post exactly what you have in the gateway config...

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to FarzanaMustafa

‎03-12-2021 03:02 AM

MickBall_0-1615546942076.jpeg

 

0 Likes Likes

Go to solution
FarzanaMustafa
L4 Transporter
In response to MickBall

‎03-16-2021 05:23 PM

Thank you so much for your guidance.

I checked the GP GW config and removed the cert from Certificate Profile. It worked!

 

May I ask what was the problem?

 

Cert Profile.png

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to FarzanaMustafa

‎03-17-2021 02:28 AM

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks