GlobalProtect Client - Cannot add 2nd Account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Client - Cannot add 2nd Account

L1 Bithead

Our company is using GlobalProtect Client version 6.1.0-58

 

I am trying to add a 2nd VPN connection.  The original connection works as it should.  When I try to log into the portal for the new connection, it keeps defaulting to the login email associated with the first account.  I get a login error saying the account does not exist.  I cannot find any way to change the login email for the new account.

 

Thanks in advance 🙂

 

Debug info provided below:


Request Id: 9d71adde-8d11-4bbe-b1b7-fa6a764d3b02

Correlation Id: 70258f00-7ee4-4900-8323-b9ce6b771f8f

Timestamp: 2023-04-05T18:54:56Z

Message: AADSTS90072: User account 'rick.opp@boardriders.com' from identity provider 'https://sts.windows.net/69e26851-3077-423c-9bb2-e6d37e5a50b8/' does not exist in tenant 'MTD Products Inc' and cannot access the application 'https://clientvpn.mtdproducts.com:443/SAML20/SP'(Palo Alto Networks - GlobalProtect) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @Rick-O ,

 

Do you have Single Sign-on configured under Network > GlobalProtect > Portals > [edit portal] > Agent > [edit agent config] > App?  If so, you need to change that to No to prompt for credentials.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks for responding Tom.

 

I am assuming this is a registry entry?  I am unable to find it.

Cyber Elite
Cyber Elite

Hi @Rick-O ,

 

It is a configuration on the NGFW to which GlobalProtect connects.  It is one possible reason you are not prompted for username and password.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

There are other people in our organization that can connect to the same two connections without problems so I think the problem is local on my computer.  We have two different connections at different companies that use different email addresses on two different host systems.  My co-workers client does not default to a saved email.  It tries to login with his local windows email account and fails, username@mycompanyname.com.  He is then prompted "Sign out and sign in with a different account" and can enter the email for that connection and then can log in.   When i click on connect for the first connection used after installing GlpbalProtect, the client automatically connects without any further action required on my part.  When I try to connect to the second connection that was just added it defaults to the email of the first connection.  I am not given the option to sign out and sign in with a different account like my co-workers are.

 

Would that problem be a configuration setting on my side or the host?

 

I have tried to find a SSO setting on my computer but have not been able to find anything that helps.

 

One article suggested creating a GlobalProtect Settings registry key use-sso and setting it to no, that did not work.

Another suggested a force-sso-disable and setting it to yes, that didn't work either.

Cyber Elite
Cyber Elite

Hi @Rick-O ,

 

Thank you for your reply.  That seems to rule out the NGFW.  Nonetheless, it may be helpful to have the firewall people assist.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1638 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!