08-09-2017 01:41 AM
Hello everybody,
recently I am facing a strange Problem with Global Protect.
If I log into a Windows 7 Machine (64-bit) with an Administrator Account and enter Credentials of a NON-Administrative Account in Global Protect everything works just fine.
But if I log into the Machine with a NON-Administrative Account and try to connect with a NON-Administrative User, Global Protect won't establish the connection.
I tried to compare the logs between the Admin and NON-Admin Account, I couldn't find any simularities at all to be honest. The logs seem totally different.
Any help in this matter would be highly appriciated!
08-11-2017 04:52 AM - edited 08-11-2017 05:10 AM
So I deinstalled the Updates which were different from the working Machine we have here.
After every Update-Deinstallation I tested GP to see which Update cause the Problem, but none of them seemed to be the cause..
Then I logged into another User Account which has never been logged in on this Machine. Suddenly GP worked just fine, it connected and asked for credentials.
It looks like one ore more deinstalled Windows Update caused the problem, not only that, it also changed the configuration of the Users profile. So once the User profile, which got changed by the bad Update, got written back to the server you have a problem.
I probably delte the User Profile and create a completely new one.
Updates I deinstalled:
KB2393802
KB2525835
KB2534111
KB2643719
KB2656356
KB2706045
KB2716513
KB2719033
KB2758857
KB2765809
KB3018238
KB3031432
KB3068457
KB3075220
KB3076895
KB3124275
KB3133043
KB3148851
KB3153731
KB3169658
KB3177723
KB3182203
KB3203884
KB4012864
One or more of these Updates is probably a Internet / Certificate Update which caused the problem.
08-13-2017 11:57 PM - edited 08-14-2017 02:50 AM
Thank you for your reply!
I used the WSUS Offline creation tool to get all the Updates for Windows 7 when I created my installation .iso.
Somehow it seems it also downloaded Updates for other Systems, like Windows Server 2012. I am sure I told WSUS Offline to only download Windows 7 updates.
Anyway I tried to reinstall all the mentioned Updates which was not quite successfull.
I was able to reinstall thge following Updates:
KB2643719 - Update for Windows Server 2008 R2
KB3031432 - Fix for elevation of priviledge vulnerability from 2015
KB3068457 - Securityupdate for Windows Server 2008
KB3133043 - Securityupdate for NPS RADIUS DoS vulnerability in Server 2008/2012
KB4025337 - Securityupdate for Windows 7 from 2016
KB4025341 - Monthly rollup update july 2017
As you can see I also installed the July Rollup and GP worked without any problems.
For all other Updates I got a Error Message saying that this Update cannot be installed on my operating System.
So one of these Updates, which were not supposed to be installed in the first place, caused the Error.
Now I just wonder why WSUS Offline offered me these for download..
EDIT: I checked WSUS Offline again, if you want to download only Windows 7 Updates you also download Windows Server 2008 R2 Updates, you can't seperate them it seems.
I strongly suspect KB3124275 to be the Problem.
I hope this is usefull for people with a similar problem.
Thanks again and have a nice day!
08-09-2017 02:58 AM
whilst logged in as non Admin, can you browse to the portal via https? if so, are you able to authenticate.
08-09-2017 03:20 AM - edited 08-09-2017 03:27 AM
I can not reach the Portal via Web Browser. "Can't reach this address".
I can ping it.
Another Computer in the same Network is able to Connect via Global Protect.
Edit: If I try to reach the Website via https it asks me to select a Certificate (there is only one listed) once I press "OK" it opens up the Portal via the Admin Account but not with the normal User.
08-09-2017 03:36 AM
are you seeing anything on the PA logs (System)
08-09-2017 04:31 AM - edited 08-09-2017 04:32 AM
Just checked it.
There are no Logs listed regarding Global Protect.
08-09-2017 04:35 AM
can i assume you can see the system log for the successful administrator connection?
08-09-2017 04:41 AM
I am sorry, yes I can.
08-09-2017 04:49 AM
what authentication method are you using?
08-09-2017 04:52 AM
We have LDAP enabled.
08-09-2017 05:25 AM
ok probably cant help any further but perhaps you should wireshark the device to see if the connection attempt is being replied to.
08-09-2017 06:05 AM
Do you only use LDAP for the authentication or may be also client/user certificates?
08-09-2017 06:22 AM
Have you tried using the troubleshooting tools on the gp client? You can try doing a packet capture using the PA packet capture tools
08-09-2017 10:42 PM - edited 08-09-2017 11:38 PM
In the configuration of GP there is only a LDAP Authentification displayed. Allthough you get a popup to accept a certificate from the PA on first time connect.
I've never used the Packet Capturing. When I activate Packet Capture it tells me that the systems performance can degrade drastically. I don't think I want to do this. If I would use a Filter I am not sure what to fill in where to capture only traffic from that Windows 7 Machine.
Edit: When I try to connect to the Portal via HTTPS, first it asks me to accept the certificate then it says the Web Address can't be reached " ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY". With the Windows Administrator Account this works without problems.
08-10-2017 12:43 AM - edited 08-10-2017 12:44 AM
Now I am pretty sure that the Problem comes from the Windows Installation / Updates.
We installed two Computers with a new image, in which all the Windows Updates until 08/17 are included.
This installation is causing the troubles, every other installation in which we didn't use this updated Image works just fine.
So are there any Updates we have to remove in order to make GP work with User rights?
08-10-2017 12:50 AM
Because of the error you described when you connect with a non-admin user to the website, I think you have cert-authentication configured, even if it is accidentially.
Could you share a screenshot of your portal configuration?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
