Global Protect user-pre-logon from Windows domain login first time user


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L0 Member

Global Protect user-pre-logon from Windows domain login first time user

I'm having an issue finding an all inclusive document that can help me validate my GP portal and gw config to allow new users who receive a domain joined laptop be able to log into the domain on receipt of the laptop


current gw is pre-login with on-demand

all laptop have machine cert installed from our domain

for purposes of the test I have a new user set up in AD that I use for a test (un-successfully to date)

I have set up my domain joined laptop and adjusted the PaloAlto registry entries to show pre-logon=1, user-sso=yes, showprelogonbutton=yes.


reboot the machine and I do get the GP logo with the connect/not connected verbiage.


My expectations are this

user gets to the Windows login screen

Selects the login method (Selects the GP icon)

user enters their username and password

user hits "Enter"/"Return"


nothing happens........(very frustrating)


I would have expected the laptop to reach out to the GP gateway, validated itself via the machine certs, then passed the user creds along to validate against Active Directory resulting in a subsequent successful user logon to the laptop.  At this point Windows will take over and start the new user setup (profile setup) that you get with any first time new user login to a windows machine.


The only thing that I can think of is that I have noticed in the past with the GP install that the username gets prepopulated with the domain\username configuration.  Our GP setup only required "username".  Using domain\username will cause an authentication failure.


I have no idea how to verify this and if this is indeed the case, how can I force GP to start-up using just the "username" and not "domain\username"


Any advice would be appreciated.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!