Global Protect user-pre-logon from Windows domain login first time user

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect user-pre-logon from Windows domain login first time user

L0 Member

I'm having an issue finding an all inclusive document that can help me validate my GP portal and gw config to allow new users who receive a domain joined laptop be able to log into the domain on receipt of the laptop


current gw is pre-login with on-demand

all laptop have machine cert installed from our domain

for purposes of the test I have a new user set up in AD that I use for a test (un-successfully to date)

I have set up my domain joined laptop and adjusted the PaloAlto registry entries to show pre-logon=1, user-sso=yes, showprelogonbutton=yes.


reboot the machine and I do get the GP logo with the connect/not connected verbiage.


My expectations are this

user gets to the Windows login screen

Selects the login method (Selects the GP icon)

user enters their username and password

user hits "Enter"/"Return"


nothing happens........(very frustrating)


I would have expected the laptop to reach out to the GP gateway, validated itself via the machine certs, then passed the user creds along to validate against Active Directory resulting in a subsequent successful user logon to the laptop.  At this point Windows will take over and start the new user setup (profile setup) that you get with any first time new user login to a windows machine.


The only thing that I can think of is that I have noticed in the past with the GP install that the username gets prepopulated with the domain\username configuration.  Our GP setup only required "username".  Using domain\username will cause an authentication failure.


I have no idea how to verify this and if this is indeed the case, how can I force GP to start-up using just the "username" and not "domain\username"


Any advice would be appreciated.




L0 Member

Hi there,


exactly the same question here, after the device staging and the GP installation with parameter CONNECTMETHOD="pre-logon", and the domain certificate installed, I would expect that the GP connects pre-logon to be able to process a remote first logon.


I'm afraid that you never received any feedbacks or reply on your question last year.


Have you find any solution to your problem ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!