This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

GlobalProtect 6.3.3 + Duo SAML MFA loop after normal Windows login (works only via GP Credential Provider at Windows logon)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect 6.3.3 + Duo SAML MFA loop after normal Windows login (works only via GP Credential Provider at Windows logon)

Marco_DiFrancesco
L1 Bithead

‎05-13-2026 07:24 AM

 

Hi everyone,

we are currently facing a strange issue with GlobalProtect + Duo MFA and have been able to narrow it down quite a bit.

I wanted to check if anyone has already seen this behavior.

Environment

  • GlobalProtect Client: 6.3.3-c876
  • Prisma Access Mobile Users
  • Dataplane Version: 10.2.4
  • Authentication: SAML via Cisco Duo
  • Cisco Duo federated to Microsoft Entra ID
  • Windows Hello for Business enabled
  • No Pre-Logon
  • No Connect Before Logon
  • Authentication Override Cookies enabled
  • Tested with Save User Credentials = Yes and No
  • Tested with Default Browser and Embedded Browser

Authentication Flow

The authentication flow is:

GlobalProtect / Prisma Access
→ Cisco Duo SAML
→ Microsoft Entra ID
So the direct IdP configured in Prisma Access is Cisco Duo, while Duo itself is federated with Entra ID.

Problem

We are getting an MFA/SAML authentication loop, but only under specific conditions.

Works correctly

If the user authenticates via the GlobalProtect icon / Credential Provider on the Windows login screen and enters username/password there.

Result:

  • Duo MFA succeeds
  • VPN connects normally
  • no authentication loop

Does NOT work

If the user logs into Windows normally first and GP connects afterward automatically.

It does not matter whether Windows login is done via:

  • Windows Hello PIN
  • regular Windows password
  • biometrics

Behavior:

  1. Duo MFA succeeds
  2. Redirect back to GlobalProtect
  3. GP immediately starts a new auth request
  4. MFA prompt appears again
  5. endless loop

Relevant client log entry

In PanGPA.log we consistently see:

 

 
RetrieveGPCred failed. hr = 1168
This seems directly related to the issue.

Already tested

Browser mode

  • Default Browser
  • Embedded Browser

=> no difference

SSO

  • Use Single Sign-On = Yes
  • Use Single Sign-On = No

=> no difference

Save User Credentials

  • Yes
  • No

=> no difference

Authentication Override

  • Generate Cookie enabled
  • Accept Cookie enabled
  • same certificate
  • same lifetime

=> no difference

Interesting observation

The problem does NOT occur when the full authentication flow is handled through the GP Credential Provider at the Windows login screen.

The issue only happens with:

  • normal Windows login
  • followed by automatic GP connection afterward

This makes us suspect:

  • credential retrieval issue
  • WAM/PRT/WHfB-related behavior
  • or possibly a bug in post-logon credential handling

Question

Has anyone seen similar issues with:

  • GP 6.3.x
  • Windows Hello for Business
  • Duo SAML federated to Entra ID
  • Prisma Access
  • RetrieveGPCred failed. hr = 1168

Particularly interested in:

  • known bugs
  • recommended GP versions
  • workarounds
  • known WAM / WHfB issues

Thanks in advance!

0 Likes Likes
0 REPLIES 0
  • 9 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks