Global Protect client certificate auth Current User Vs Local Computer Store

Reply
Highlighted
L4 Transporter

Global Protect client certificate auth Current User Vs Local Computer Store

Having some trouble with a generalized  single certificate (wanting to use as part of user/pass authentication)  across multiple machines.  Wanting to require this certificate be on a machine and the user enter their user/pass combination for authentication to portal/gateway (not user/machine specific cert).  Not doing prelogon at this point.    I can add this exported certificate into the Certificates (Local Computer) /Personal AND Trusted Root store ....all day long....and it makes no difference.   

I can even specify in the portal agent config to use 1.3.6.1.5.5.7.3.2 for an OID- and also ensure that both  Client certificate store look up - both "user and machine" is set on the portal...still nothing.

 

The only way I can get this to successfully work, is by placing the exported certificate into the Certificates -Current User - personal - store. ...then everything works perfectly.    It's almost as if windows clients have issues accessing the machine store when a user is logged in?  Anyone have experience with this, or something along these lines?

 

Maybe @MickBall  answered part of this already below:

https://live.paloaltonetworks.com/t5/General-Topics/Does-Pre-logon-for-Global-Protect-use-the-Comput...

 

MS seems to hint at the fact that any machine store cert in the trusted root will be mirrored to the current user store trusted root- but NOT the Current User Personal:

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-cer...

"Be aware that all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."

 

 

Does a generic certificate have to be installed for every user under their current user personal certificate store?


Accepted Solutions
Highlighted
L7 Applicator

Ok glad its working but you should still see the computer store from your browser.

 

the rules are as follows.

 

  • Local machine certificate store

    This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.

  • Current user certificate store

    This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

 

as a test why not open regedit as the user and see if you can view the local machine store...  if you cannot then something strange is going on.  If you can then it must be the browser.   What browser are you using.

 

i always test my certs with IE. As much as i hate it it is still the most popular.

View solution in original post

Highlighted
L7 Applicator

Ok catch up tomorrow but not sure where the intermediate cert is required for this.

 

could it also be that as you have been messing with certs that ie is using one that it thinks it should use but its the wrong one.

 

yes i would have a play on a fresh device and remove all personal certs from user store.

 

good luck....

View solution in original post


All Replies
Highlighted
L7 Applicator

No, generic certificates do not have to be in the users personal store..

 

Have you set the GP app to use both user and computer certs.

Highlighted
L4 Transporter

@MickBall  Are you referring to the "client certificate store lookup" - both user and machine ? -  If so, yes, I have that specified.      This is not for pre-logon- only when the user is logged on.  Thank you for the quick reply. Never hurts to have more input.

Highlighted
L7 Applicator

OK worth a check..

 

I use certs in the computer store and it works fine for when users are logged into the device.

I also do not use pre-logon.

 

with the certificate located in the computer/personal/certificates area  have you tried browsing vi IE to your portal.

this may throw up a more helpful error than the portal.

 

Highlighted
L4 Transporter

Access to the machine cert store is not available to standard user accounts. It requires elevated permissions. Not sure if GP can get around this if a user is already logged in to the machine. 

@MickBall , do your users have admin rights on the workstation?

Highlighted
L7 Applicator

@rmfalconer , hi.

nope, admin level access is used to install the cert but our users are restricted to the hilt.

Highlighted
L4 Transporter

Browsing to the Portal will throw the same error- "client certificate required"-   it's like it doesn't see the cert at all....but the second I move it to the current user store---everything works....

 

 

I'm hearing that people have these certs in their machine stores, but I have yet to get this to successfully work

Highlighted
L4 Transporter

I am starting to wonder about this, as I cannot get it to successfully work 

Highlighted
L4 Transporter

@MickBall -

 

That certificate is not used for pre-logon, or installed in the personal store right?

Highlighted
L7 Applicator

No the certificate is not in the users personal store.

 

for a small group of user, about 250, we cannot use the personal store. So we use the computer store.

 

i will check AD permissions tomorrow to see if @rmfalconer  has seen something more obvious here.

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!