Global Protect client certificate auth Current User Vs Local Computer Store

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect client certificate auth Current User Vs Local Computer Store

L4 Transporter

Having some trouble with a generalized  single certificate (wanting to use as part of user/pass authentication)  across multiple machines.  Wanting to require this certificate be on a machine and the user enter their user/pass combination for authentication to portal/gateway (not user/machine specific cert).  Not doing prelogon at this point.    I can add this exported certificate into the Certificates (Local Computer) /Personal AND Trusted Root store ....all day long....and it makes no difference.   

I can even specify in the portal agent config to use 1.3.6.1.5.5.7.3.2 for an OID- and also ensure that both  Client certificate store look up - both "user and machine" is set on the portal...still nothing.

 

The only way I can get this to successfully work, is by placing the exported certificate into the Certificates -Current User - personal - store. ...then everything works perfectly.    It's almost as if windows clients have issues accessing the machine store when a user is logged in?  Anyone have experience with this, or something along these lines?

 

Maybe @Mick_Ball  answered part of this already below:

https://live.paloaltonetworks.com/t5/General-Topics/Does-Pre-logon-for-Global-Protect-use-the-Comput...

 

MS seems to hint at the fact that any machine store cert in the trusted root will be mirrored to the current user store trusted root- but NOT the Current User Personal:

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-cer...

"Be aware that all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."

 

 

Does a generic certificate have to be installed for every user under their current user personal certificate store?

2 accepted solutions

Accepted Solutions

Ok glad its working but you should still see the computer store from your browser.

 

the rules are as follows.

 

  • Local machine certificate store

    This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.

  • Current user certificate store

    This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

 

as a test why not open regedit as the user and see if you can view the local machine store...  if you cannot then something strange is going on.  If you can then it must be the browser.   What browser are you using.

 

i always test my certs with IE. As much as i hate it it is still the most popular.

View solution in original post

Ok catch up tomorrow but not sure where the intermediate cert is required for this.

 

could it also be that as you have been messing with certs that ie is using one that it thinks it should use but its the wrong one.

 

yes i would have a play on a fresh device and remove all personal certs from user store.

 

good luck....

View solution in original post

25 REPLIES 25

L7 Applicator

No, generic certificates do not have to be in the users personal store..

 

Have you set the GP app to use both user and computer certs.

@Mick_Ball  Are you referring to the "client certificate store lookup" - both user and machine ? -  If so, yes, I have that specified.      This is not for pre-logon- only when the user is logged on.  Thank you for the quick reply. Never hurts to have more input.

OK worth a check..

 

I use certs in the computer store and it works fine for when users are logged into the device.

I also do not use pre-logon.

 

with the certificate located in the computer/personal/certificates area  have you tried browsing vi IE to your portal.

this may throw up a more helpful error than the portal.

 

Access to the machine cert store is not available to standard user accounts. It requires elevated permissions. Not sure if GP can get around this if a user is already logged in to the machine. 

@Mick_Ball , do your users have admin rights on the workstation?

@rmfalconer , hi.

nope, admin level access is used to install the cert but our users are restricted to the hilt.

Browsing to the Portal will throw the same error- "client certificate required"-   it's like it doesn't see the cert at all....but the second I move it to the current user store---everything works....

 

 

I'm hearing that people have these certs in their machine stores, but I have yet to get this to successfully work

I am starting to wonder about this, as I cannot get it to successfully work 

@Mick_Ball -

 

That certificate is not used for pre-logon, or installed in the personal store right?

No the certificate is not in the users personal store.

 

for a small group of user, about 250, we cannot use the personal store. So we use the computer store.

 

i will check AD permissions tomorrow to see if @rmfalconer  has seen something more obvious here.

 

 

 

 

@Mick_Ball 

 

Thank you very much.  Any help is appreciated.

Are you using the mmc certificate snap-in tool to import the certificate..

Yes I am.  

and are you running the snap-in on the users device or are you running this on your own device and connecting to another computer within the snap-in.you only need the generic cert on the device.  the root cert stays on the firewall and in a cert profile.

 

below is a snippet of my store, does your machine store look similar.

 

perhaps also let me know from start to finish, including cert export format, exactly what you are doing.

 

cert.png

L7 Applicator

another question...

 

are you adding this additional auth via an auth profile additional factors or to the portal authentication tab (cert profile)

  • 2 accepted solutions
  • 14462 Views
  • 25 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!