How to connect users to their domain via GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to connect users to their domain via GlobalProtect

L4 Transporter

Hello,

 

We need a solution to join the users first to their Domain via Global Protect and after that client MUST be able to reset/change their password.

We were thinking of using Pre-logon, however, this requires machine certificate and customer is not willing to spend anything on this.

Is there a way to implement the request? Kindly provide some KBs as well.

 

Thanks in advance.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @FarzanaMustafa 

 

If the user is part of a Windows Domain network, the machine is cert is FREE.  It should be deployed to the user PRIOR to even having GP on the computer.  Once a machine cert, signed by the ECA (enterprise CA), then the user can do auth with a machine cert.  No cost involved.

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@FarzanaMustafa,

The actual computers will already be joined to the domain correct? I'm assuming that the answer to this is yes, because otherwise this really isn't going to work regardless of what you do. 

 

If they aren't willing to pay for the time needed to do a proper pre-logon configuration, you could always use the new GlobalProtect 5.2 agent and  Connect Before Logon (CBL). Essentially this acts the same as the old SBL configuration with AnyConnect if you are familiar with that. It allows a user to manually initiate a VPN connection connection prior to logging into the system. That sounds like it would meet all of your requirements you listed. 

 

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-apps/deploy-a...

L3 Networker

Hello,

 

- IF computers are already joined to the domain, cookie authentication can be used with "pre-log on (allways on)" feature without using client certificate.

- This config must be used alongside other authentication mechanisms like "LDAP". In order to client receives the cookie.

With this config A cookie will be generated by firewall and sent to client profile folder under "%LocalAppdata%/Palo Alto Networks\GlobalProtect\" with <somenumerbers>.dat file.

-So within the cookie lifetime client can be connect to gateway as pre-log on state and the can change their password. 

 

I used this articale;

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY

 

Have a nice day.

UP

L0 Member

Hi I have trouble creating my account please help

J.Amos

Cyber Elite
Cyber Elite

Hello @FarzanaMustafa 

 

If the user is part of a Windows Domain network, the machine is cert is FREE.  It should be deployed to the user PRIOR to even having GP on the computer.  Once a machine cert, signed by the ECA (enterprise CA), then the user can do auth with a machine cert.  No cost involved.

 

 

Help the community: Like helpful comments and mark solutions

@135267895 
Which account? looks like you are logged into this LIVE account and posting a message.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Yes but when i want to create account it says contact support what can I do I'm lost

J.Amos
  • 1 accepted solution
  • 8437 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!