Global Protect cert based authentication.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect cert based authentication.

L1 Bithead

I've got a machine certificate for pre-logon, and that seems to work great, I can see that I am connected to my VPN from the login screen.  But what I have noticed is that when I log into Windows, my username ends up being 'first_name last_name', which is not our actual user naming scheme.  I couldn't figure out where it was pulling that from, because even though the cert profile I have configured points to 'subject', the machine cert subject line is actually blank.


Finally figured out that we have a user cert on our machines issued from the same CA, and I believe once I log into Windows, that is actually the cert that is being used (also verified in the panGPA log).  

Tried changing the parameters of cert profile to point to subject alternative and use user principal name (which is configured on the user cert), but that seems to break pre-logon.


What I am looking for.. the simplest solution that gives me pre-logon auth with cert, and windows login with cert.  Everything 100% cert based, no manual entry of username/password, etc.  And the ability to properly identify usernames in the firewall, perhaps pulling user principal name off of a cert.  Not sure if that needs to be two certs (machine and user), or if it can be combined into one, and not sure the best way to go about pulling user principal name so that I can use username/AD group security policies while not breaking pre-logon.


Thoughts from anyone who has done something similar?



L1 Bithead

An update after further testing.  There is a setting in the Portal/Agent/App config as to what cert store is used.  The default is machine and user.  I did some testing changing this to machine only and user only.  It seems that no matter what selection I make, this solution is dependant on both the machine cert (for pre-logon), and the user cert (for auth once logged into Windows).  And currently my cert profile is set to "subject".  Both my machine cert and user cert have a subject field, although it is blank on my machine cert.  If I try changing the cert profile to reference subject alt and principal name, it breaks pre-logon (maybe because my machine cert does not have a sub alt field, but it does cause the windows auth to grab the principal name off of the user cert.  If I change the cert profile value to "none", it would seem that pre-logon continues to work, logon from Windows using the user cert fails and it falls back to asking for credentials.  


Hoping to get clarification on the following:


#1 - Do I in fact need to have both of these certs to make this solution work?  Or is there a way to just do it with one or the other.


#2 - If I do need both certs, I think my next steps are to create a machine cert that also has the sub alt field (so that it matches the user cert), and test again changing the cert profile to look at sub alt.


One other note: Instead of having a separate gateway for pre-logon and normal connections, I opted to combine into one gateway.  Seems to work fine and simplify config, but not sure if that could be related to some of my cert issues.

  • 1 replies
  • 47 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!