GlobalProtect "You are not authorized to connect to GlobalProtect Portal" Error

Reply
Highlighted
L2 Linker

GlobalProtect "You are not authorized to connect to GlobalProtect Portal" Error

Happy Thanksgiving all,

 

I just updated from 8.0.12 to 8.1.4 on 11/20.  I was able to connect to GlobalProtect from the time I upgraded until about 6 hours later.  I now get the error "You are not authorized to connect to GlobalProtect Portal".  Initially, I thought this may be licensing, but it is not system wide.  It currently only affects myself and one other user.  Looking at the PanGP Agent logs, I find the Agent is not updating the portal configuration.  On the Firewall itself, I see an Auth success event, followed immediately by an Auth Failure event in the portal.  No changes have been made on the firewall or my computer.

 

I have an open case with Palo, but it hasn't been resolved as of yet.


Any help is greatly appreciated.

 

Snippet of log:

 

<response>
<type>portal</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error>You are not authorized to connect to GlobalProtect Portal.</error>
<product-version>4.1.4-13</product-version>
<product-code>&quot;{6364C46E-8960-4FCC-A5A6-0BDDB3253850}&quot;</product-code>
<portal-status>No portal configuration</portal-status>
<user-name>ebrookman</user-name>
<username-type>sso</username-type>
<state>Disconnected</state>
<check-version>no</check-version>
<portal>vpn.***********.org</portal>
<mdm-is-enabled>no</mdm-is-enabled>
</response>


Accepted Solutions
Highlighted
L1 Bithead

I ran across this not that long ago and because I was using an AD group I had to add it under User-Id/Group Mapping Settings.  Once I did that I stopped getting the error.  Not sure if that is your case.

View solution in original post


All Replies
Highlighted
Cyber Elite

@ebrookman,

Can you attach the configuration of the actual Portal, XML preferable if you have it available. During updates the spacing sometimes gets screwed up and causes things to stop functioning. 

Highlighted
L1 Bithead

I ran across this not that long ago and because I was using an AD group I had to add it under User-Id/Group Mapping Settings.  Once I did that I stopped getting the error.  Not sure if that is your case.

View solution in original post

Highlighted
L2 Linker

That is exactly what the problem was.


Thanks,

Eric

L0 Member

I had this similar issue and engaged TAC but couldnt find any definitive root cause as to why this issue popped up after we upgraded from 7.1 to 8.1, following the two steps resolved issue for us.

1. Remove User Domain from Group Mapping
2. Removed AD Group in Portal > Agent > User/User Group

Root cause is still under investigation but I suspect this has something to do with the way firewall had normalized usernames(Group Mapping) in previous OS.


If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in the 
domain\username format as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed as username@domain , not domain\username

From : https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multip...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!