GlobalProtect agent error message "ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect agent error message "ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY"

L0 Member

 

Hi all,

 

I deployed the GP agent and user was authenticated by client certificate, most users wroks, but some users cannot pass the authentication and get the following error messages in PanGPA.log:

 

(T1356) 06/08/18 13:39:53:722 Info (2559): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000029E2C99C820)
(T1356) 06/08/18 13:39:53:722 Debug(2640): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12186, result=5, dwCertificateError=0
(T9076) 06/08/18 13:39:53:816 Info (1465): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T9076) 06/08/18 13:39:53:816 Info (1032): Server cert query failed with error 12019
(T9076) 06/08/18 13:39:53:816 Error(1494): error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
(T9076) 06/08/18 13:39:53:816 Debug(1576): winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now
(T9076) 06/08/18 13:39:53:816 Debug(3610): winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000

 

GP agent is version 4.0.5, I also checked the certficate is fine and exported with private key, I also reinstall agent and certificate, even install newer GP agent version 4.0.8, but cannot fix it.

 

Does anyone know how to fix it? or have any suggestion for troubleshooting?

 

Firewall is running PAN-OS 7.1.15 and GlobalProtect agent 4.0.5 now, I had already opened a case but TAC think it is the operation system problem. All the issue computers are running Windows 10, client certificate is a sha256 (RSA 2048) self-signed certificate.

 

Thanks a lot and Best Regardss,

Sample Wu

 

8 REPLIES 8

L4 Transporter

Hi @Sample.Wu 

 

Did you find any solution for this.

Thanks in advance

L2 Linker

If possible, try by re-importing certificate and key fine. 

L3 Networker

Hello re-importing works but what happens here, why client does not have private key. Any idea?

UP

L0 Member

Does anyone know why this is happening?  For what ever reason, PaloAlto Agent is unable to accept the unexpired user certificate, which causes connectivity issues. I know that the fix is to re-import the certificate (on-site) but this will be money and time consuming for our remote users.

L1 Bithead

We're having the exact same issue on Windows 11 with credential roaming enabled. Any fix yet?

This seems to be caused by Windows11 breaking permissions for applications to access the private portion of the user's certificate store. See part 1) of the second post in my thread from a month ago. If you export the user's certificate (including the private key), delete the cert from the store, then re-import the certificate the GP client should be able to access the private key again.

https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-...

 

Thank you for your response, Adrian. I have asked a few users to delete certificate and request new one which fixes the issue. It's unreasonable to expect the other 40,000+ users to do that and was hoping for a better solution. I will probably just require machine certificate for authentication for now.

L6 Presenter

Yeah, as far as I have been able to determine, it is a Windows11 permission problem that affects any user account existing on a PC when it is upgraded to Windows11. User accounts created after the upgrade do not experience the problem (including on the same PC as an affected user). Removing/reinstalling GlobalProtect does not fix the issue. Newly added certs are not affected, just certs existing at the time of the upgrade (hence the delete and reimport or request new fix). 

  • 9810 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!