Global Protect Pre-login issue with Microsoft Windows PKI generated machine cert

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Pre-login issue with Microsoft Windows PKI generated machine cert

L1 Bithead



We are trying to setup always on + Pre-Login with Machine cert which generated by Microsoft PKI and distributed by GPO when user turned on the machine . Then, when user login to the machine, it will use windows logon with SSO.  Like this KB.


We confirmed a machine cert exists correct location on the Windows machine. Also, we imported the Microsoft Root cert on to Palo Alto. And we configured Portal and Gateway like KB exception is we are using MS PKI. When we login and log off from user, it will switch successfully switch to Pre-Logon. However, when we reboot the machine, Global Protect won't connect automatically with pre-logon. Global protect is disconnected until user login. It seems the cert is the issue.  So far, we found out that if we create Palo Alto generated cert and export the cert with private key, and then import the cert to Windows machine, it will work as expected. We noticed that the main difference between the two is that Palo Alto generated cert has a private key embedded within the machine cert. However, Microsoft auto generated machine cert doesn't have a private key within the cert. If you see at the end of KB, it mentioned "make sure a. it has private key". Is the private key within the machine cert requirement? If so, what is the technical reason? How can we generate a machine cert with a private key by Microsoft PKI?


6. Once imported, double click the imported machine certificate to make sure

a. it has private key

b. its certificate chain is full upto its root CA. If the chain is missing root CA or intermediate CA, import them to their respective folders as explained in Step 5.






L1 Bithead


It is resolved. We compared between Palo Alto generated cert and MS generated cert with a default template. We found out one difference between the two. MS generated Cert didn't have Subject (I mean subject value was blank). As soon as we added the subject (CN=FQDN) in the MS cert, Palo alto accepted the MS cert. I think Palo Alto should update the KB saying "subject is requirement" for machine cert Pre-logon.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!