GlobalProtect with machine cert

Reply
Highlighted
L3 Networker

GlobalProtect with machine cert

Hi,

I'm having a challenge with GlobalProtect when trying to do ldap authentication with a machine cert (from internal MS pki).  I've tried both the computer and workstation authentication template, but neither worked.  GlobalProtect states certificate is missing.  I'm not doing pre-logon,  I have GP set to always on.   In GP portal app setting, I have the client certificate store check set to machine. Is this not supported or am I missing something else?   

 

As a test, i deployed a user certificate from the same MS pki,  set GP client store to be user and that works as expected

Highlighted
L7 Applicator

Re: GlobalProtect with machine cert

Certificates in the machine store does work, perhaps its the type of certificate you are using,. You say you have a user cert that works in the user store, try importing this to the machine personal store and see what happens.

also...   import the machine cert to the user store to see if it accepted. If not then probably wrong type of cert.

Highlighted
L3 Networker

Re: GlobalProtect with machine cert

@MickBall 

 

Thanks for the reply.  I'm not sure its the type of cert that I'm using, as both templates that I have tried are computer certs. 

 

I can try moving the user cert to computer store, but not really going to help me determine what the problem is

Highlighted
L7 Applicator

Re: GlobalProtect with machine cert

There is a difference in windows world between machine certs and user certs.

We use user certs for GP and computer certs for network access control on our lan switches.

 

the computer cert cannot be used for GP auth.

 

so if you move the user cert into the computer store this will prove my limited theory.

 

i think the app setting means look in both places rather than user or machine actual cert.

Highlighted
L3 Networker

Re: GlobalProtect with machine cert

@MickBall ah thanks.  That would explain it, but also would be useless for me.  I'm trying to use computer certs that way regardless of user, the machine would have a cert. 

 

Windows won't put a user cert in the computer store on its own, but I will definitely try your suggestion to see.  Thanks!

Highlighted
L7 Applicator

Re: GlobalProtect with machine cert

Yes I only suggest putting the user cert into the computer store to just make sure all of your GP stuff is set and working correctly.

if this proves successful then start looking at the difference between user and computer certs.

 

I'm sure that the default AD template for machine certs do not populate the subject field and although you can set your Palo certificate profile "Username" field to "None" I don't think GP will validate a certificate without the subject field populated.

 

 

Highlighted
L3 Networker

Re: GlobalProtect with machine cert

@MickBall 

 

Edited my post.  I was able to get it to work.  It was a configuration issue in my lab.  I set the computer template to include a subject and worked like a charm.

 

 

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!