Global Protect 4.0.2 -19 only connects with Windows Administrator Account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect 4.0.2 -19 only connects with Windows Administrator Account

L2 Linker

Hello everybody,

 

recently I am facing a strange Problem with Global Protect. 

If I log into a Windows 7 Machine (64-bit) with an Administrator Account and enter Credentials of a NON-Administrative Account in Global Protect everything works just fine.

But if I log into the Machine with a NON-Administrative Account and try to connect with a NON-Administrative User, Global Protect won't establish the connection.

 

I tried to compare the logs between the Admin and NON-Admin Account, I couldn't find any simularities at all to be honest. The logs seem totally different.

 

Any help in this matter would be highly appriciated!

 

21 REPLIES 21

@Remo

I hope this helps:

2.PNG3.PNG1.PNG

 

 

I hope you saw Message #14 in which I suspect the Windows Updates to be the problem.

Hi @husetech

 

Yes, I read your post about the suggestion with the windows updates. I mean if this is the only difference between the clients then go ahead and remove the updates. Might be worth a try. 

But I still can't get the "missing private key" error out of my mind and what this exactly has to do with the connection problem. Are there differences in the certificate store between the admin and non-admin users?

L7 Applicator

... and about the packet capture: If you set the source to the IP from where your client is connecting and the destination to your portal IP, then you, in most cases, don't have to worry about performance problems. Simply set the filters as exact as possible, this wil also help you seeing the data you want to see and you then don't have to search in a big capture for that one connection

Yes at some point I will probably compare the Updates installed on the Machine with the ones from our WSUS.

 

There is one difference I noticed when trying to install the certificate via Web Browser, it gives me this Error:

1.PNG

Translation: There was an Error trying to open the Organization trust store.

 

Installing it with the Admin Account works.

 

 

Furthermore if I try to replace the DNS Name with the IP Adress in GP it gives me this:

Unbenannt.PNG

Translation: Basically saying there is a problem with the security certificate, that's why the identity can't be checked.

 

But I think that is because it is not the DNS Name which the Certificate refers to.

So I deinstalled the Updates which were different from the working Machine we have here.

After every Update-Deinstallation I tested GP to see which Update cause the Problem, but none of them seemed to be the cause..

Then I logged into another User Account which has never been logged in on this Machine. Suddenly GP worked just fine, it connected and asked for credentials.

 

It looks like one ore more deinstalled Windows Update caused the problem, not only that, it also changed the configuration of the Users profile. So once the User profile, which got changed by the bad Update, got written back to the server you have a problem.

I probably delte the User Profile and create a completely new one.

 

Updates I deinstalled:

KB2393802

KB2525835

KB2534111

KB2643719

KB2656356

KB2706045

KB2716513

KB2719033

KB2758857

KB2765809

KB3018238

KB3031432

KB3068457

KB3075220

KB3076895

KB3124275

KB3133043

KB3148851

KB3153731

KB3169658

KB3177723

KB3182203

KB3203884

KB4012864

 

 

One or more of these Updates is probably a Internet / Certificate Update which caused the problem.

 

 

 

KB2393802 - Windows 7 Update from 2011

KB2525835 - Update for Windows Server 2008???

KB2534111 - hotfix for "computername cannot contain only numbers" error

KB2643719 - Update for Windows Server 2008 R2???

KB2656356 - .Net 3.5.1 Securityupdate from 2011

KB2706045 - Windows 7 Securityupdate for JScript/VBScript from 2012

KB2716513 - Securityupdate for FTP server module in IIS (2012)

KB2719033 - belongs to KB2716513

KB2758857 - Securityupdate from 2012 to fix a critical RCE vulnerability

KB2765809 - Securityupdate for Windows Server 2008???

KB3018238 - Securityupdate from 2014 to fix a critical RCE vulnetability in SChannel

KB3031432 - Fix for elevation of priviledge vulnerability from 2015

KB3068457 - Securityupdate for Windows Server 2008???

KB3075220 - RDP Securityupdate from 2015

KB3076895 - Securityupdate for XML core services from 2015

KB3124275 - Securityupdate for IE 11 from 2016

KB3133043 - Securityupdate for NPS RADIUS DoS vulnerability in Server 2008/2012

KB3148851 - Timezone changes for Russia

KB3153731 - DST Setting change for Chile, Haiti, Marocco

KB3169658 - Securityupdate for Windows Server 2008???

KB3177723 - Egypt cancels DST update

KB3182203 - Timezone change for Novosibirsk

KB3203884 - West bank and Gaza move DST end

KB4012864 - DST changes for northern cypress, mongolia, ...

KB4025337 - Securityupdate for Windows 7 from 2016

KB4025341 - Monthly rollup update july 2017

 

Could you try to reinstall all except the july monthly rollup? The others don't seem to be related to this issue ... at least what the descriptions...

@Remo

Thank you for your reply!

I used the WSUS Offline creation tool to get all the Updates for Windows 7 when I created my installation .iso.

Somehow it seems it also downloaded Updates for other Systems, like Windows Server 2012. I am sure I told WSUS Offline to only download Windows 7 updates.

 

Anyway I tried to reinstall all the mentioned Updates which was not quite successfull.

I was able to reinstall thge following Updates:

 

KB2643719 - Update for Windows Server 2008 R2

KB3031432 - Fix for elevation of priviledge vulnerability from 2015

KB3068457 - Securityupdate for Windows Server 2008

KB3133043 - Securityupdate for NPS RADIUS DoS vulnerability in Server 2008/2012

KB4025337 - Securityupdate for Windows 7 from 2016

KB4025341 - Monthly rollup update july 2017

 

As you can see I also installed the July Rollup and GP worked without any problems.

 

 

For all other Updates I got a Error Message saying that this Update cannot be installed on my operating System.

So one of these Updates, which were not supposed to be installed in the first place, caused the Error.

Now I just wonder why WSUS Offline offered me these for download..

 


EDIT: I checked WSUS Offline again, if you want to download only Windows 7 Updates you also download Windows Server 2008 R2 Updates, you can't seperate them it seems.

I strongly suspect KB3124275 to be the Problem.

 

I hope this is usefull for people with a similar problem.

Thanks again and have a nice day!

 

 

  • 7864 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!