08-09-2017 01:41 AM
Hello everybody,
recently I am facing a strange Problem with Global Protect.
If I log into a Windows 7 Machine (64-bit) with an Administrator Account and enter Credentials of a NON-Administrative Account in Global Protect everything works just fine.
But if I log into the Machine with a NON-Administrative Account and try to connect with a NON-Administrative User, Global Protect won't establish the connection.
I tried to compare the logs between the Admin and NON-Admin Account, I couldn't find any simularities at all to be honest. The logs seem totally different.
Any help in this matter would be highly appriciated!
08-10-2017 01:07 AM
I hope this helps:
I hope you saw Message #14 in which I suspect the Windows Updates to be the problem.
08-10-2017 02:21 AM
Hi @husetech
Yes, I read your post about the suggestion with the windows updates. I mean if this is the only difference between the clients then go ahead and remove the updates. Might be worth a try.
But I still can't get the "missing private key" error out of my mind and what this exactly has to do with the connection problem. Are there differences in the certificate store between the admin and non-admin users?
08-10-2017 02:25 AM
... and about the packet capture: If you set the source to the IP from where your client is connecting and the destination to your portal IP, then you, in most cases, don't have to worry about performance problems. Simply set the filters as exact as possible, this wil also help you seeing the data you want to see and you then don't have to search in a big capture for that one connection
08-10-2017 02:35 AM - edited 08-10-2017 02:36 AM
Yes at some point I will probably compare the Updates installed on the Machine with the ones from our WSUS.
There is one difference I noticed when trying to install the certificate via Web Browser, it gives me this Error:
Translation: There was an Error trying to open the Organization trust store.
Installing it with the Admin Account works.
Furthermore if I try to replace the DNS Name with the IP Adress in GP it gives me this:
Translation: Basically saying there is a problem with the security certificate, that's why the identity can't be checked.
But I think that is because it is not the DNS Name which the Certificate refers to.
08-11-2017 04:52 AM - edited 08-11-2017 05:10 AM
So I deinstalled the Updates which were different from the working Machine we have here.
After every Update-Deinstallation I tested GP to see which Update cause the Problem, but none of them seemed to be the cause..
Then I logged into another User Account which has never been logged in on this Machine. Suddenly GP worked just fine, it connected and asked for credentials.
It looks like one ore more deinstalled Windows Update caused the problem, not only that, it also changed the configuration of the Users profile. So once the User profile, which got changed by the bad Update, got written back to the server you have a problem.
I probably delte the User Profile and create a completely new one.
Updates I deinstalled:
KB2393802
KB2525835
KB2534111
KB2643719
KB2656356
KB2706045
KB2716513
KB2719033
KB2758857
KB2765809
KB3018238
KB3031432
KB3068457
KB3075220
KB3076895
KB3124275
KB3133043
KB3148851
KB3153731
KB3169658
KB3177723
KB3182203
KB3203884
KB4012864
One or more of these Updates is probably a Internet / Certificate Update which caused the problem.
08-11-2017 05:48 AM - edited 08-11-2017 05:51 AM
KB2393802 - Windows 7 Update from 2011
KB2525835 - Update for Windows Server 2008???
KB2534111 - hotfix for "computername cannot contain only numbers" error
KB2643719 - Update for Windows Server 2008 R2???
KB2656356 - .Net 3.5.1 Securityupdate from 2011
KB2706045 - Windows 7 Securityupdate for JScript/VBScript from 2012
KB2716513 - Securityupdate for FTP server module in IIS (2012)
KB2719033 - belongs to KB2716513
KB2758857 - Securityupdate from 2012 to fix a critical RCE vulnerability
KB2765809 - Securityupdate for Windows Server 2008???
KB3018238 - Securityupdate from 2014 to fix a critical RCE vulnetability in SChannel
KB3031432 - Fix for elevation of priviledge vulnerability from 2015
KB3068457 - Securityupdate for Windows Server 2008???
KB3075220 - RDP Securityupdate from 2015
KB3076895 - Securityupdate for XML core services from 2015
KB3124275 - Securityupdate for IE 11 from 2016
KB3133043 - Securityupdate for NPS RADIUS DoS vulnerability in Server 2008/2012
KB3148851 - Timezone changes for Russia
KB3153731 - DST Setting change for Chile, Haiti, Marocco
KB3169658 - Securityupdate for Windows Server 2008???
KB3177723 - Egypt cancels DST update
KB3182203 - Timezone change for Novosibirsk
KB3203884 - West bank and Gaza move DST end
KB4012864 - DST changes for northern cypress, mongolia, ...
KB4025337 - Securityupdate for Windows 7 from 2016
KB4025341 - Monthly rollup update july 2017
Could you try to reinstall all except the july monthly rollup? The others don't seem to be related to this issue ... at least what the descriptions...
08-13-2017 11:57 PM - edited 08-14-2017 02:50 AM
Thank you for your reply!
I used the WSUS Offline creation tool to get all the Updates for Windows 7 when I created my installation .iso.
Somehow it seems it also downloaded Updates for other Systems, like Windows Server 2012. I am sure I told WSUS Offline to only download Windows 7 updates.
Anyway I tried to reinstall all the mentioned Updates which was not quite successfull.
I was able to reinstall thge following Updates:
KB2643719 - Update for Windows Server 2008 R2
KB3031432 - Fix for elevation of priviledge vulnerability from 2015
KB3068457 - Securityupdate for Windows Server 2008
KB3133043 - Securityupdate for NPS RADIUS DoS vulnerability in Server 2008/2012
KB4025337 - Securityupdate for Windows 7 from 2016
KB4025341 - Monthly rollup update july 2017
As you can see I also installed the July Rollup and GP worked without any problems.
For all other Updates I got a Error Message saying that this Update cannot be installed on my operating System.
So one of these Updates, which were not supposed to be installed in the first place, caused the Error.
Now I just wonder why WSUS Offline offered me these for download..
EDIT: I checked WSUS Offline again, if you want to download only Windows 7 Updates you also download Windows Server 2008 R2 Updates, you can't seperate them it seems.
I strongly suspect KB3124275 to be the Problem.
I hope this is usefull for people with a similar problem.
Thanks again and have a nice day!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
