12-02-2020 12:20 PM
If a user has multiple user certificates, how can I ensure that the firewall chooses the correct one to use?
For example, a user might have a VPN to two different companies that both have PA firewalls.
I'd strongly prefer not having to have a separate windows user account depending on which useraccount and portal I want to connect to. Thanks
12-03-2020 07:37 PM
I might be getting the prompt on every connection as it does not have a valid gateway because i only need to test the cert against a portal.
i will add a gateway later today and see if it goes away.... I only say this as picked this up from PAN docs..
When only one client certificate meets the requirements above, the app automatically uses that client certificate for authentication. However, when multiple client certificates meet the these requirements, GlobalProtect prompts the user to select the client certificate from a list of valid client certificates on the endpoint. While GlobalProtect requires users to select the client certificate only when they first connect, users might not know which certificate to select. In this case, we recommend you to narrow the list of available client certificates by certificate purpose (as indicated by the OID) and certificate store.
12-02-2020 01:40 PM
When there's multiple user certificates, the user will get a pop-up requesting which one to use
12-02-2020 01:52 PM
No such pop-up appearing requesting which one to use. I've had to delete a user certificate due to the lack of pop-up.
12-02-2020 04:00 PM
If the certificates are issued by different authorities, there *shouldn't* be a problem. Only the cert issued by the CA you define in the certificate profile should be used. The prompt should only happen if: there are multiple certs that are issued from the same authority, with client auth enabled and in the same cert store.
12-03-2020 08:24 AM
It's the same CA and the prompt is not occurring. For instance, I am testing user certificate of a third party complaining of issues connecting to VPN.
12-03-2020 08:36 AM
So it is _not_ the same CA? Which version of GP are you/they on? May need to upgrade, or reach out to aupport
12-03-2020 08:39 AM - edited 12-03-2020 09:03 AM
5.2.3 GP originally. I upgraded to 5.2.4 GP and still have the same issue. Their is no prompt to choose the user certificate / username with the GP client. If I connect to the firewall web gui, I do get a prompt about which user certificate to use.
12-03-2020 10:13 AM
I have 2 different certs from the same CA and i do get a prompt on v5.24
12-03-2020 10:28 AM
If I completely uninstall 5.2.4 then install 5.2.3, I get the prompt. Does this only appear the first time you connect? Is there some setting that controls whether you are prompted once or every time?
12-03-2020 07:17 PM
It does prompt me on every connection, however.... i have a funny feeling that when i installed a second user cert from the same CA it just ignored it... as if it expected to use the one i had already been using prior to the second addition... and as far as i can remember i just connected to a different test portal for the first time to get the prompt. I have never seen a setting to tweak this but GP client may be trying to do something clever in the background hence a re install resolution for yourself. I have seen a few odd things when chopping and changing user certs but normally rectified by pangps service restart.
12-03-2020 07:37 PM
I might be getting the prompt on every connection as it does not have a valid gateway because i only need to test the cert against a portal.
i will add a gateway later today and see if it goes away.... I only say this as picked this up from PAN docs..
When only one client certificate meets the requirements above, the app automatically uses that client certificate for authentication. However, when multiple client certificates meet the these requirements, GlobalProtect prompts the user to select the client certificate from a list of valid client certificates on the endpoint. While GlobalProtect requires users to select the client certificate only when they first connect, users might not know which certificate to select. In this case, we recommend you to narrow the list of available client certificates by certificate purpose (as indicated by the OID) and certificate store.
12-06-2020 04:53 PM
Thanks. My temporary workaround is the uninstall and reinstall of GlobalProtect VPN, or manually adding and deleting user certificates. I tried simply changing the portal, but didn't get prompted to choose between the user certificates
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
