GP on Windows 11 - client certificate issue

cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
We are conducting regularly scheduled maintenance over the weekend, which could cause some downtime on LIVEcommunity. We apologize for any inconvenience.

GP on Windows 11 - client certificate issue

L5 Sessionator

Our customer is having issues with GP 5.2.10-6 on Windows 11. They are using client certificates for authentication and after a while a connection fails due to no client certificate present. If we check MMC the certificate is present, valid and has private key. 

But GP logs say:

(P9292-T12792)Error(2290): 05/23/22 07:03:00:014 error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY

(P9292-T12792)Debug(2377): 05/23/22 07:03:00:014 winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now

(P9292-T12792)Debug(4578): 05/23/22 07:03:00:014 winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000

 

There is a reddit post about it:

https://www.reddit.com/r/sysadmin/comments/sd3m6v/windows_11_tpm_and_vpn_issue/

 

But nothing on PA forums or KB. How many ppl are having similar issues? Any more info from PA support about this?

4 REPLIES 4

L4 Transporter

 I had this exact same problem a few weeks ago on a PC which the user had upgraded to Win11 (without permission but..).

 

The problem is that the upgrade broke permissions for the GP client to access the private key, but it could read the public portion of the certificate just fine. Using MMC, nothing was apparent as being wrong. The fix is to manually export the user's certificate, including the private key, and save it. Delete the certificate from the user's cert store. Then re-import the saved key back into the certificate store. The GP client will now be able to read the private key. Alternatively, you can delete the old certificate and regenerate it (though you probably need to be connected/domain joined to do that in most cases).

 

See my previous thread:

https://live.paloaltonetworks.com/t5/globalprotect-discussions/windows11-fails-to-connect-to-portal-...

L5 Sessionator

Thank you for info @Adrian_Jensen

In our case it's fresh installations of Windows 11. First the access with GP works for a couple of days, weeks, months... and then it stops. After that the new client certificate has to be installed and the access starts working again.

 

L4 Transporter

If you export/re-import the old certificate does it work again? Or does it have to be a new certificate?

L5 Sessionator

The certificates are marked as non exportable so they can't in a 'normal' way. I know there is a way with MimiKatz... 🙂 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!