On my Cisco ASA I have SAML configured and when I logon I get prompted with a browser dialog box for user name and password which then triggers an MFA token to my smart phone. But for Global Protect the client is going straight to Authentication Failed without prompting me for user name and password - neither within the Global Protect client nor in a separate browser windows. I follow the instructions below.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
In System Logs I am seeing the following errors:
Some debug from PANGPA.LOG:
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:457 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:457 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug(2199): 04/13/22 17:21:10:457 Dialog Status is going to change from Connecting to Connecting.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:464 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:464 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug(2306): 04/13/22 17:21:10:465 receive resize message from 1, and new height is 206.
(P1920-T3992)Debug( 240): 04/13/22 17:21:10:781 CPanSAMLView::OnDocumentComplete - page url navigated to = https://gpvpn.abcfi.com/SAML20/SP/ACS
(P1920-T3992)Debug( 397): 04/13/22 17:21:10:785 CPanClientAuth::GetSavedCredential
(P1920-T3992)Error( 790): 04/13/22 17:21:10:785 RetrieveGPCred failed. hr = 1168
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:785 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:785 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Info ( 854): 04/13/22 17:21:10:785 UI send saml username to update.
(P1920-T3992)Debug( 153): 04/13/22 17:21:10:785 CPanClientAuth::HandleNewCredential.
(P1920-T3992)Debug( 297): 04/13/22 17:21:10:785 CPanClientAuth::encryptPwd length 0.
(P1920-T3992)Debug( 309): 04/13/22 17:21:10:785 CPanClientAuth::encryptPwd dwl 32.
(P1920-T3992)Debug( 312): 04/13/22 17:21:10:785 CPanClientAuth::encryptPwd - len 32 .
(P1920-T3992)Debug( 335): 04/13/22 17:21:10:785 CPanClientAuth::encryptBackup user is empty(P1920-T3992)Debug( 353): 04/13/22 17:21:10:785 CPanSAMLView::OnDocumentComplete - saml auth failed eventually. -1 times retries.
(P1920-T12120)Debug( 611): 04/13/22 17:21:10:850 Send command to Pan Service
(P1920-T12120)Debug( 626): 04/13/22 17:21:10:850 Command = <request><type>portal</type><portal>gpvpn.abcfi.com</portal><pid>1920</pid><path>C:\Users\muser\AppData\Local\Palo Alto Networks\GlobalProtect\</path><cert-name>pan-none-cert-selected</cert-name><reconnect-gateway-only>no</reconnect-gateway-only><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>mmedw</win-user><user-profile-type>0</user-profile-type><preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><proxy-auto-detect>1</proxy-auto-detect><proxy-config-url></proxy-config-url><proxy></proxy><proxy-bypass></proxy-bypass><saved-user></saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><prelogin-cookie>0</prelogin-cookie><saml-username>SAMLUser</saml-username><saml-auth-status>-1</saml-auth-status><saml-auth-error>Authentication Failed.</saml-auth-error><pre-logon-then-on-demand>no</pre-logon-then-on-demand><domain>DESKTOP-5ABC8MQ</domain><default-browser>0</default-browser></request>
(P1920-T12120)Debug( 691): 04/13/22 17:21:10:850 PanClient sent successful with 1216 bytes
(P1920-T3992)Debug( 121): 04/13/22 17:21:10:883 Received data from Pan Service
(P1920-T12120)Debug( 611): 04/13/22 17:21:10:883 Send command to Pan Service
(P1920-T12120)Debug( 639): 04/13/22 17:21:10:883 Command = <request><type>troubleshooting-log</type><error>Authentication Failed.</error><error-details>Authentication Failed.</error-details></request>
(P1920-T3992)Debug( 608): 04/13/22 17:21:10:883 Current status is changed to -1.
(P1920-T3992)Debug( 174): 04/13/22 17:21:10:883 username field is not empty. not override the username.
(P1920-T3992)Debug( 203): 04/13/22 17:21:10:883 CPanBaseReceiver::HandleStatus - found discover-ready tag. value = n.
(P1920-T3992)Debug( 210): 04/13/22 17:21:10:883 CPanBaseReceiver::HandleStatus - found cdl-log tag. value = n.
(P1920-T3992)Debug( 270): 04/13/22 17:21:10:883 message type from the service = s
<?xml version="1.0" encoding="UTF-8"?>
<response>
<type>status</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error-must-show/>
<error-must-show-level>error</error-must-show-level>
<error>Authentication Failed.</error>
<product-version>5.2.5-66</product-version>
<product-code>"{C531B514-763E-4495-A3C4-1B28C749A343}"</product-code>
<portal-status>Invalid portal</portal-status>
<user-name/>
<username-type>regular</username-type>
<state>Disconnected</state>
<check-version>no</check-version>
<portal>gpvpn.abcfi.com</portal>
<discover-ready>no</discover-ready>
<mdm-is-enabled>no</mdm-is-enabled>
<cdl-log>no</cdl-log>
