Global Protect "Single Sign on" with Windows Hello on Windows 10


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Cyber Elite

Global Protect "Single Sign on" with Windows Hello on Windows 10

Hi everyone,

I have a situation as described in the title of this post. As you probably know Global Protect installs his own Credential Provider in Windows which has to be chosen by the user. It is also possible to force the Global Protect Credential Provider, but the point is, it has to be used in order to enable single sign on for the user.

This now breaks the whole thing when combined with Windows Hello (Iris Scan, Fingerprint), because Windows Hello has his own credential provider. So in a default Global Protect configuration with pre-logon enabled (certificate profile and LDAPs authentication profile), either Global Protect single sign on or Windows Hello is working as expected:
- log in with GP CP: VPN single sign on is working but not Windows Hello
- log in with WH CP: Windows Hello is working but the user has to enter his credentials manually to Global Protect

To get the comfort of both worlds I was now thinking of a setup with the following requirements:
- Global Protect ONLY authenticates with a certificate profile
- User-ID Agents check Active Directory Logins for the VPN IP range
- Firewall is configured to get the User-to-IP mappings from the User-ID agent
- Firewall allows access to the AD (for logging in), antivirusupdates, windows updates to the pro-logon user
- all subsequent firewallrules are created for actual users, so they become "active" as soon the user-to-ip-mapping is known by the firewall

I have already tested this solution and it works as expected. Users can log in simply by "looking at their laptops" and there is no need to bother for reentering the credentials or making sure that Global Protect is set as default Credential Provider.

My question now for you all is: Am I missing some security issues with not using an authentication profile and relying on the login event in active directory?

L7 Applicator

Hi Remo,


Potential workaround may be relying on Kerberos SSO. Users can perform Windows Hello to authenticate to the device (and AD/Kerberos), and then use Kerberos SSO to authenticate to GP. Some details are mentioned in the last comment of this post:



Nikola M

L3 Networker



What did you end up doing? What authentcation profile did you use ldap or radius? Can I use radius?



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!