12-10-2020 07:38 PM - edited 12-10-2020 07:45 PM
Hello,
We need a solution to join the users first to their Domain via Global Protect and after that client MUST be able to reset/change their password.
We were thinking of using Pre-logon, however, this requires machine certificate and customer is not willing to spend anything on this.
Is there a way to implement the request? Kindly provide some KBs as well.
Thanks in advance.
12-12-2020 08:17 AM
Hello @FarzanaMustafa
If the user is part of a Windows Domain network, the machine is cert is FREE. It should be deployed to the user PRIOR to even having GP on the computer. Once a machine cert, signed by the ECA (enterprise CA), then the user can do auth with a machine cert. No cost involved.
12-10-2020 08:13 PM
The actual computers will already be joined to the domain correct? I'm assuming that the answer to this is yes, because otherwise this really isn't going to work regardless of what you do.
If they aren't willing to pay for the time needed to do a proper pre-logon configuration, you could always use the new GlobalProtect 5.2 agent and Connect Before Logon (CBL). Essentially this acts the same as the old SBL configuration with AnyConnect if you are familiar with that. It allows a user to manually initiate a VPN connection connection prior to logging into the system. That sounds like it would meet all of your requirements you listed.
12-12-2020 12:37 AM
Hello,
- IF computers are already joined to the domain, cookie authentication can be used with "pre-log on (allways on)" feature without using client certificate.
- This config must be used alongside other authentication mechanisms like "LDAP". In order to client receives the cookie.
With this config A cookie will be generated by firewall and sent to client profile folder under "%LocalAppdata%/Palo Alto Networks\GlobalProtect\" with <somenumerbers>.dat file.
-So within the cookie lifetime client can be connect to gateway as pre-log on state and the can change their password.
I used this articale;
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY
Have a nice day.
12-12-2020 04:01 AM
Hi I have trouble creating my account please help
12-12-2020 08:17 AM
Hello @FarzanaMustafa
If the user is part of a Windows Domain network, the machine is cert is FREE. It should be deployed to the user PRIOR to even having GP on the computer. Once a machine cert, signed by the ECA (enterprise CA), then the user can do auth with a machine cert. No cost involved.
12-14-2020 02:14 PM
@135267895
Which account? looks like you are logged into this LIVE account and posting a message.
12-17-2020 08:54 PM
Yes but when i want to create account it says contact support what can I do I'm lost
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
