This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GP on Windows 11 - client certificate issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP on Windows 11 - client certificate issue

santonic
L6 Presenter

‎05-23-2022 02:47 AM

Our customer is having issues with GP 5.2.10-6 on Windows 11. They are using client certificates for authentication and after a while a connection fails due to no client certificate present. If we check MMC the certificate is present, valid and has private key. 

But GP logs say:

(P9292-T12792)Error(2290): 05/23/22 07:03:00:014 error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY

(P9292-T12792)Debug(2377): 05/23/22 07:03:00:014 winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now

(P9292-T12792)Debug(4578): 05/23/22 07:03:00:014 winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000

 

There is a reddit post about it:

https://www.reddit.com/r/sysadmin/comments/sd3m6v/windows_11_tpm_and_vpn_issue/

 

But nothing on PA forums or KB. How many ppl are having similar issues? Any more info from PA support about this?

0 Likes Likes
4 REPLIES 4

Adrian_Jensen
L6 Presenter

‎05-23-2022 01:36 PM - edited ‎05-23-2022 01:37 PM

 I had this exact same problem a few weeks ago on a PC which the user had upgraded to Win11 (without permission but..).

 

The problem is that the upgrade broke permissions for the GP client to access the private key, but it could read the public portion of the certificate just fine. Using MMC, nothing was apparent as being wrong. The fix is to manually export the user's certificate, including the private key, and save it. Delete the certificate from the user's cert store. Then re-import the saved key back into the certificate store. The GP client will now be able to read the private key. Alternatively, you can delete the old certificate and regenerate it (though you probably need to be connected/domain joined to do that in most cases).

 

See my previous thread:

https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-...

0 Likes Likes

santonic
L6 Presenter

‎05-23-2022 11:31 PM

Thank you for info @Adrian_Jensen

In our case it's fresh installations of Windows 11. First the access with GP works for a couple of days, weeks, months... and then it stops. After that the new client certificate has to be installed and the access starts working again.

 

0 Likes Likes

Adrian_Jensen
L6 Presenter

‎05-24-2022 08:27 AM

If you export/re-import the old certificate does it work again? Or does it have to be a new certificate?

0 Likes Likes

santonic
L6 Presenter

‎05-25-2022 12:15 AM

The certificates are marked as non exportable so they can't in a 'normal' way. I know there is a way with MimiKatz... 🙂 

0 Likes Likes
  • 5390 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks