04-05-2023 11:57 AM
Our company is using GlobalProtect Client version 6.1.0-58
I am trying to add a 2nd VPN connection. The original connection works as it should. When I try to log into the portal for the new connection, it keeps defaulting to the login email associated with the first account. I get a login error saying the account does not exist. I cannot find any way to change the login email for the new account.
Thanks in advance 🙂
Debug info provided below:
Request Id: 9d71adde-8d11-4bbe-b1b7-fa6a764d3b02
Correlation Id: 70258f00-7ee4-4900-8323-b9ce6b771f8f
Message: AADSTS90072: User account 'firstname.lastname@example.org' from identity provider 'https://sts.windows.net/69e26851-3077-423c-9bb2-e6d37e5a50b8/' does not exist in tenant 'MTD Products Inc' and cannot access the application 'https://clientvpn.mtdproducts.com:443/SAML20/SP'(Palo Alto Networks - GlobalProtect) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
04-06-2023 05:24 AM - edited 04-06-2023 07:13 AM
Hi @Rick-O ,
Do you have Single Sign-on configured under Network > GlobalProtect > Portals > [edit portal] > Agent > [edit agent config] > App? If so, you need to change that to No to prompt for credentials.
04-06-2023 07:05 AM
Thanks for responding Tom.
I am assuming this is a registry entry? I am unable to find it.
04-06-2023 07:13 AM
Hi @Rick-O ,
It is a configuration on the NGFW to which GlobalProtect connects. It is one possible reason you are not prompted for username and password.
04-06-2023 11:14 AM
There are other people in our organization that can connect to the same two connections without problems so I think the problem is local on my computer. We have two different connections at different companies that use different email addresses on two different host systems. My co-workers client does not default to a saved email. It tries to login with his local windows email account and fails, email@example.com. He is then prompted "Sign out and sign in with a different account" and can enter the email for that connection and then can log in. When i click on connect for the first connection used after installing GlpbalProtect, the client automatically connects without any further action required on my part. When I try to connect to the second connection that was just added it defaults to the email of the first connection. I am not given the option to sign out and sign in with a different account like my co-workers are.
Would that problem be a configuration setting on my side or the host?
I have tried to find a SSO setting on my computer but have not been able to find anything that helps.
One article suggested creating a GlobalProtect Settings registry key use-sso and setting it to no, that did not work.
Another suggested a force-sso-disable and setting it to yes, that didn't work either.
04-06-2023 11:50 AM
Hi @Rick-O ,
Thank you for your reply. That seems to rule out the NGFW. Nonetheless, it may be helpful to have the firewall people assist.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!