GlobalProtect Client Certificate not Found

Reply
Highlighted
L5 Sessionator

GlobalProtect Client Certificate not Found

Hi All,

 

I am trying to demo pre-logon and am really struggling with the client certificate authentication side of things.

 

I've generated a Root CA on the firewall which has been imported into the Personal and Trusted Root Stores of the machine.

The portal is set to use this certificate via a certificate profile which has been configured.

Connect method has been set to pre-logon always on.

 

When I attempt to access the VPN on the desktop, I get the message "Required client certificate not found". Despite the fact that the cert specified in the certificate profile is in all the right certificate stores.

 

Help! (GP Version 4.1.8)

 

Cheers,

Luke.

Highlighted
L7 Applicator

Re: GlobalProtect Client Certificate not Found

not sure about pre logon stuff but for my certificate auth i created a root CA on the Palo, i then genereated another certificate for a user that was signed by that CA.

 

I then exported the user cert in pks12 format and imported that cert into the computer or user personal store.

 

the original CA is in the cert profile listed under portal and gateway auth.

 

you will also need to ensure the GP portal app allows bot user and comp store.

 

 

Highlighted
L5 Sessionator

Re: GlobalProtect Client Certificate not Found

Hey @MickBall 

 

I've just tried this and unfortunately, I still get the same result. Was your user cert marked as a CA? Mine currently isn't.

 

Any other suggestions?

 

Thanks,

Luke.

Highlighted
L1 Bithead

Re: GlobalProtect Client Certificate not Found

Hi,

 

Did you create a Root CA, Intermediate CA and Machine Cert so the whole certificatechain is complete? 

Root and Intermediate needs to be marked as CA.

 

If so you should be able to export the Machine Certificate as PKCS as MickBall mentioned and import it to your local certificate (computer)store.

 

Section B in the below link should help you wuth all the steps for certificate authentication.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

 

Did you do any specific settings in the Certificate Profile? Ive seen some strange issues if some of the boxes are marked.

 

/PV

Highlighted
L7 Applicator

Re: GlobalProtect Client Certificate not Found

no, my users certs are not CA they just show the CA as the issuer.

 

ok why dont you go back a step and forget the pre logon stuff and firstly just get the cert auth to work without pre logon.

 

the other info coming in fro  @xen-pv may be more helpful for pre logon as we do not actually use it,

 

 

Highlighted
L7 Applicator

Re: GlobalProtect Client Certificate not Found

sorry i meant to say go back a step just to test your cert auth, once you've got that sussed then add pre-logon.

Highlighted
L5 Sessionator

Re: GlobalProtect Client Certificate not Found

Hi @MickBall 

 

I disabled prelogon and still get the same result.

 

@xen-pv 

 

I just tried with the full chain and the still result. Self-signed root and intermediate on the firewall, both specified in the cert profile.

Generated a primary cert signed by the intermediate, exported to the client and stored in personal and trusted root and still get "Required client certificate not found"

Am I doing something wrong?

 

Thanks,

Luke.

 

 

Highlighted
L7 Applicator

Re: GlobalProtect Client Certificate not Found

do you get the same error when you browse https to the portal address

Highlighted
L5 Sessionator

Re: GlobalProtect Client Certificate not Found

Hey @MickBall 

 

I do, yes.

Highlighted
L7 Applicator

Re: GlobalProtect Client Certificate not Found

could you check the client machine cert to ensure it has something in the subject field.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!