So i 've been having some issues getting GP prelogon working correctly. As of right now - GP will make the VPN connection before logon(i am able to ping my device prior to logon) and after i login with a cached account it maintains its VPN connection and i have full network access, no issues.
However, when i log in using a non-cached account - it creates a temp profile, while still maintaining the VPN connection. I am under the impression that that prior to logon i have a network connection will full access(which i do) so i should be able to create a regular user profile. My non-cached user account is obviously being authenticated but i am still getting a temp profile. I do not see any errors in the system log and no traffic is being denied. Only thing that sticks out is a few errors in the panGPS.log
(T2256) 07/09/15 13:05:41:193 Info ( 109): SSL connect failed (error:00000001:lib(0):func(0):reason(1))
(T2256) 07/09/15 13:05:41:193 Info ( 157): connect() failed
(T2256) 07/09/15 13:05:41:193 Error(5765): Protocol error. Check server certificate. Failed to ssl connect to 'xx.xxxxx.com:443', Disconect ssl and returns false.
Which i don't understand because it still works technically. The server cert works fine i dont get any cert errors when i web browse to the address. So any ideas on why i am getting a temp profile after i log in?
First I have some questions:
What OS are you using?
What version of GP Client do you have installed?
Are you able to ping the computer over the VPN connection during the whole loginprocess?
Is it possible to map the drive of the computer while it is connected and no user is logged in?
(I assume this is working when you log in with this particular user while the computer is located in your corporate network?)
Do you also checked the thead log for blocked connections?
Do you habe this error messages before or after the userlogin?
What you also could try if the connection is there without any deny entries in the log is decreasing the MTU size on the computer where you have installed GP.
Hi thanks for the Reply - I actually got it create a standard profile now. It was an error on my part. I incorrectly deleted the profile. Once deleted some registry keys it worked correctly.
The problem I have now - is that it doesn't switch to the logged in user from Prelogon.
So Prelogon is working correctly - I can ping the device prior to logon and full network access. After I login, the prelogon user is still being used and it does not SSO to show the logged in user.
Does a GP Login window show up after you are logged in completely? Did you configre the client config in the portal configuration to use SSO for this particular user or only for the pre-logon user?
Yea - the GP client does run and say services connected after login. I have one portal client config for prelogon configured for ANY user/user group with SSO enabled
My thinking is that because of the user account im testing with did not initially download the config settings it doesn't have a cookie but I thought if SSO is enabled it passes the user credentials used during login to the GP client.
I think Palo creates his own login credential provider. So you have to make sure that you use the Global Protect login credential provider in order to make SSO work.
On this picture you should see what I mean:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!