Global Protect w Azure SAML/MFA won't trigger logon dialog box

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect w Azure SAML/MFA won't trigger logon dialog box

L3 Networker

On my Cisco ASA I have SAML configured and when I logon I get prompted with a browser dialog box for user name and password which then triggers an MFA token to my smart phone. But for Global Protect the client is going straight to Authentication Failed without prompting me for user name and password - neither within the Global Protect client nor in a separate browser windows. I follow the instructions below. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

In System Logs I am seeing the following errors:

palomed_0-1649870982193.png

 

Some debug from PANGPA.LOG:

(P1920-T3992)Debug( 612): 04/13/22 17:21:10:457 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:457 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug(2199): 04/13/22 17:21:10:457 Dialog Status is going to change from Connecting to Connecting.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:464 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:464 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug(2306): 04/13/22 17:21:10:465 receive resize message from 1, and new height is 206.
(P1920-T3992)Debug( 240): 04/13/22 17:21:10:781 CPanSAMLView::OnDocumentComplete - page url navigated to = https://gpvpn.abcfi.com/SAML20/SP/ACS
(P1920-T3992)Debug( 397): 04/13/22 17:21:10:785 CPanClientAuth::GetSavedCredential
(P1920-T3992)Error( 790): 04/13/22 17:21:10:785 RetrieveGPCred failed. hr = 1168
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:785 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Debug( 612): 04/13/22 17:21:10:785 CPanBaseConfigMgr::AddPortal - portal gpvpn.abcfi.com is already in list.
(P1920-T3992)Info ( 854): 04/13/22 17:21:10:785 UI send saml username to update.
(P1920-T3992)Debug( 153): 04/13/22 17:21:10:785 CPanClientAuth::HandleNewCredential.
(P1920-T3992)Debug( 297): 04/13/22 17:21:10:785 CPanClientAuth::encryptPwd length 0.
(P1920-T3992)Debug( 309): 04/13/22 17:21:10:785 CPanClientAuth::encryptPwd dwl 32.
(P1920-T3992)Debug( 312): 04/13/22 17:21:10:785 CPanClientAuth::encryptPwd - len 32 .
(P1920-T3992)Debug( 335): 04/13/22 17:21:10:785 CPanClientAuth::encryptBackup user is empty(P1920-T3992)Debug( 353): 04/13/22 17:21:10:785 CPanSAMLView::OnDocumentComplete - saml auth failed eventually. -1 times retries.
(P1920-T12120)Debug( 611): 04/13/22 17:21:10:850 Send command to Pan Service
(P1920-T12120)Debug( 626): 04/13/22 17:21:10:850 Command = <request><type>portal</type><portal>gpvpn.abcfi.com</portal><pid>1920</pid><path>C:\Users\muser\AppData\Local\Palo Alto Networks\GlobalProtect\</path><cert-name>pan-none-cert-selected</cert-name><reconnect-gateway-only>no</reconnect-gateway-only><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>mmedw</win-user><user-profile-type>0</user-profile-type><preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><proxy-auto-detect>1</proxy-auto-detect><proxy-config-url></proxy-config-url><proxy></proxy><proxy-bypass></proxy-bypass><saved-user></saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><prelogin-cookie>0</prelogin-cookie><saml-username>SAMLUser</saml-username><saml-auth-status>-1</saml-auth-status><saml-auth-error>Authentication Failed.</saml-auth-error><pre-logon-then-on-demand>no</pre-logon-then-on-demand><domain>DESKTOP-5ABC8MQ</domain><default-browser>0</default-browser></request>
(P1920-T12120)Debug( 691): 04/13/22 17:21:10:850 PanClient sent successful with 1216 bytes
(P1920-T3992)Debug( 121): 04/13/22 17:21:10:883 Received data from Pan Service
(P1920-T12120)Debug( 611): 04/13/22 17:21:10:883 Send command to Pan Service
(P1920-T12120)Debug( 639): 04/13/22 17:21:10:883 Command = <request><type>troubleshooting-log</type><error>Authentication Failed.</error><error-details>Authentication Failed.</error-details></request>
(P1920-T3992)Debug( 608): 04/13/22 17:21:10:883 Current status is changed to -1.
(P1920-T3992)Debug( 174): 04/13/22 17:21:10:883 username field is not empty. not override the username.
(P1920-T3992)Debug( 203): 04/13/22 17:21:10:883 CPanBaseReceiver::HandleStatus - found discover-ready tag. value = n.
(P1920-T3992)Debug( 210): 04/13/22 17:21:10:883 CPanBaseReceiver::HandleStatus - found cdl-log tag. value = n.
(P1920-T3992)Debug( 270): 04/13/22 17:21:10:883 message type from the service = s
<?xml version="1.0" encoding="UTF-8"?>
<response>
<type>status</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error-must-show/>
<error-must-show-level>error</error-must-show-level>
<error>Authentication Failed.</error>
<product-version>5.2.5-66</product-version>
<product-code>&quot;{C531B514-763E-4495-A3C4-1B28C749A343}&quot;</product-code>
<portal-status>Invalid portal</portal-status>
<user-name/>
<username-type>regular</username-type>
<state>Disconnected</state>
<check-version>no</check-version>
<portal>gpvpn.abcfi.com</portal>
<discover-ready>no</discover-ready>
<mdm-is-enabled>no</mdm-is-enabled>
<cdl-log>no</cdl-log>

0 REPLIES 0
  • 3917 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!