09-06-2018 02:31 PM
I have configured GlobalProtect to use Authentication Profile using LDAP (sAMAccountName) and a Certificate profile.
I have user certificates pushed through Group Policy. The configuration works. However, I noticed a few things
1) If I login as UserA and delete the certificate from UserA's personal store, VPN will not connect (this is expected)
2) If I login as UserA, delete UsersA certificate and import UserB's cerificate, VPN connects! (this is unexpected)
The easy and obvious solution is don't allow export of certificates. I feel there should be a way to prevent this scenario from connecting, but haven't been able to figure it out.
09-06-2018 04:54 PM
Do you have a Username Field specified in your Certificate Profile?
If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in.
09-06-2018 04:54 PM
Do you have a Username Field specified in your Certificate Profile?
If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in.
09-06-2018 06:11 PM
@asillikerI tried setting the username field in the certificate profile to Subject Alt, It surely fixes the username issue, as it will cause the username to be username@mydomain.com and is greyed out. The problem is it will never accept the user's password, even if it's the right username/password combo.
09-06-2018 06:24 PM
duh me. I figured it out, my authenticaiton profile needed to be changed from sAMAccountName to userPrincipalName
09-14-2018 03:00 PM
@ce1028 I am interested in getting the User certificate configured as well. Did you configure the user certificate yourself or was it done previously by someone else. Just curious if you have tips or a good reference guide to setup the user certificate correctly. I've only been able to setup device certificates with ADCS but I keep getting impersonation errors when trying to deploy user certificates. Any guide or reference point would be much appreciated.
09-18-2018 06:23 PM
@harevalo_eog Yes, I did, it's been a long time since I've touched certificate services. See if this video helps you, at least from the ADCS side
https://www.youtube.com/watch?v=S7IFp8cGOLs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
