Global Protect 4.0.2 -19 only connects with Windows Administrator Account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect 4.0.2 -19 only connects with Windows Administrator Account

L2 Linker

Hello everybody,

 

recently I am facing a strange Problem with Global Protect. 

If I log into a Windows 7 Machine (64-bit) with an Administrator Account and enter Credentials of a NON-Administrative Account in Global Protect everything works just fine.

But if I log into the Machine with a NON-Administrative Account and try to connect with a NON-Administrative User, Global Protect won't establish the connection.

 

I tried to compare the logs between the Admin and NON-Admin Account, I couldn't find any simularities at all to be honest. The logs seem totally different.

 

Any help in this matter would be highly appriciated!

 

2 accepted solutions

Accepted Solutions

So I deinstalled the Updates which were different from the working Machine we have here.

After every Update-Deinstallation I tested GP to see which Update cause the Problem, but none of them seemed to be the cause..

Then I logged into another User Account which has never been logged in on this Machine. Suddenly GP worked just fine, it connected and asked for credentials.

 

It looks like one ore more deinstalled Windows Update caused the problem, not only that, it also changed the configuration of the Users profile. So once the User profile, which got changed by the bad Update, got written back to the server you have a problem.

I probably delte the User Profile and create a completely new one.

 

Updates I deinstalled:

KB2393802

KB2525835

KB2534111

KB2643719

KB2656356

KB2706045

KB2716513

KB2719033

KB2758857

KB2765809

KB3018238

KB3031432

KB3068457

KB3075220

KB3076895

KB3124275

KB3133043

KB3148851

KB3153731

KB3169658

KB3177723

KB3182203

KB3203884

KB4012864

 

 

One or more of these Updates is probably a Internet / Certificate Update which caused the problem.

 

 

 

View solution in original post

@Remo

Thank you for your reply!

I used the WSUS Offline creation tool to get all the Updates for Windows 7 when I created my installation .iso.

Somehow it seems it also downloaded Updates for other Systems, like Windows Server 2012. I am sure I told WSUS Offline to only download Windows 7 updates.

 

Anyway I tried to reinstall all the mentioned Updates which was not quite successfull.

I was able to reinstall thge following Updates:

 

KB2643719 - Update for Windows Server 2008 R2

KB3031432 - Fix for elevation of priviledge vulnerability from 2015

KB3068457 - Securityupdate for Windows Server 2008

KB3133043 - Securityupdate for NPS RADIUS DoS vulnerability in Server 2008/2012

KB4025337 - Securityupdate for Windows 7 from 2016

KB4025341 - Monthly rollup update july 2017

 

As you can see I also installed the July Rollup and GP worked without any problems.

 

 

For all other Updates I got a Error Message saying that this Update cannot be installed on my operating System.

So one of these Updates, which were not supposed to be installed in the first place, caused the Error.

Now I just wonder why WSUS Offline offered me these for download..

 


EDIT: I checked WSUS Offline again, if you want to download only Windows 7 Updates you also download Windows Server 2008 R2 Updates, you can't seperate them it seems.

I strongly suspect KB3124275 to be the Problem.

 

I hope this is usefull for people with a similar problem.

Thanks again and have a nice day!

 

 

View solution in original post

21 REPLIES 21

L7 Applicator

whilst logged in as non Admin, can you browse to the portal via https? if so, are you able to authenticate.

I can not reach the Portal via Web Browser. "Can't reach this address".

I can ping it.

 

Another Computer in the same Network is able to Connect via Global Protect.

 

Edit: If I try to reach the Website via https it asks me to select a Certificate (there is only one listed) once I press "OK" it opens up the Portal via the Admin Account but not with the normal User.

are you seeing anything on the PA logs (System)

Just checked it.

There are no Logs listed regarding Global Protect.

can i assume you can see the system log for the successful administrator connection?

I am sorry, yes I can.

what authentication method are you using?

We have LDAP enabled.

ok probably cant help any further but perhaps you should wireshark the device to see if the connection attempt is being replied to.

Do you only use LDAP for the authentication or may be also client/user certificates?

@husetech

 

Have you tried using the troubleshooting tools on the gp client? You can try doing a packet capture using the PA packet capture tools Capture.PNG

@Remo

In the configuration of GP there is only a LDAP Authentification displayed. Allthough you get a popup to accept a certificate from the PA on first time connect.

 

@jdprovine

I've never used the Packet Capturing. When I activate Packet Capture it tells me that the systems performance can degrade drastically. I don't think I want to do this. If I would use a Filter I am not sure what to fill in where to capture only traffic from that Windows 7 Machine.

 

 

Edit: When I try to connect to the Portal via HTTPS, first it asks me to accept the certificate then it says the Web Address can't be reached " ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY". With the Windows Administrator Account this works without problems.

 

Now I am pretty sure that the Problem comes from the Windows Installation / Updates. 

We installed two Computers with a new image, in which all the Windows Updates until 08/17 are included.

This installation is causing the troubles, every other installation in which we didn't use this updated Image works just fine.

So are there any Updates we have to remove in order to make GP work with User rights?

@husetech

Because of the error you described when you connect with a non-admin user to the website, I think you have cert-authentication configured, even if it is accidentially.

Could you share a screenshot of your portal configuration?

  • 2 accepted solutions
  • 6487 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!