12-08-2022 12:52 PM - edited 12-09-2022 04:44 PM
Hi Team
The customer recently updated one of their firewalls to version 10.2.3 and now when we try to connect to the GlobalProtect client on the end user's machines, we are prompted twice to sign in. The monitoring tab gives a failure with "Authentication failed: empty password". Adding to this, we use Cisco Duo for MFA and we are prompted twice to send a push or enter a passcode every time the client attempts to log in.
The issue only started after upgrading the firewall and there is no issue being experienced on the old firewall version.
The customer has tried to move to the newer GP client version:6.0.3 with no change and also tried reverting back to 6.0.1 and we still have the same issue where the client is prompted twice with Duo Push.
We have verified and recommended the configuration as per Palo Best Practice to Generate and Accept the authentication cookie but still no change.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LvbCAE&lang=en_US%E2%80%A...
Device Checks/Custom Checks on the portal are not enabled and thus it is not overriding the Authentication settings.
No other changes have been made to the configuration and the customer stated that the issue was after upgrading to 10.2.3. I do not see any known issues listed and thus would like to confirm if anybody has seen or faced the issue after the upgrade.
I tried checking the logs and can see from authd.log:
Some noticeable logs:
14:50:10.631 -0800 debug: pan_auth_loop(pan_auth_server.c:165): After 300 seconds, authd didn't receive requests, tear down existing socket 14 now
14:51:09.307 -0800 Error: _get_saml_info(pan_authd_saml.c:595): Failed to find cert for in vsys 0
Pan GPS logs shows:
P2727-T19975 12/06/2022 15:38:58:124 Debug(9288): ----Portal Login starts----
P2727-T19975 12/06/2022 15:38:58:124 Debug(2419): Unserialized non-empty cookie for portal lv-gp.korteco.com and user xxxxxx
P2727-T19975 12/06/2022 15:38:58:124 Debug(9310): Cookie exists for saved user xxxxxx. Update saved user to user. Continue for saml
P2727-T19975 12/06/2022 15:38:58:124 Error(9245): GetPassword(): invalid parameter.
P2727-T19975 12/06/2022 15:38:58:124 Debug(14582): Failed to get portal saved password.
P2727-T19975 12/06/2022 15:38:58:124 Debug(11139): Password is empty.
P2727-T19975 12/06/2022 15:38:58:124 Info ( 582): EVP_DecryptFinal_ex failed
P2727-T19975 12/06/2022 15:38:58:124 Debug(9224): Failed to decrypt data
P2727-T19975 12/06/2022 15:38:58:124 Debug(9279): Failed to get portal user password.
P2727-T19975 12/07/2022 06:51:53:507 Debug( 482): error detail is HTTPS User Authentication failure.
P2727-T19975 12/07/2022 06:51:53:507 Debug( 367): received no data
P2727-T19975 12/07/2022 06:51:53:507 Debug( 475): m_bUserAuthentication is set to false.
P2727-T19975 12/07/2022 06:51:53:507 Debug(14333): Auth failed. Private header is auth-failed-password-empty
P2727-T19975 12/07/2022 06:51:53:507 Debug(14362): Auth failed empty password for portal
Detailed Authd.log from the time:
14:45:10.301 -0800 Use "@/tmp/authd.sock", unix domain socket to get authd clients' requests
14:50:10.631 -0800 debug: pan_auth_loop(pan_auth_server.c:165): After 300 seconds, authd didn't receive requests, tear down existing socket 14 now
14:50:10.631 -0800 Use "@/tmp/authd.sock", unix domain socket to get authd clients' requests
14:51:09.304 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:3612): Receive request: msg type PAN_AUTH_REQ_SAML_CREATE_SSO_REQUEST, conv id 286, body length 2448
14:51:09.304 -0800 debug: _log_saml_input(pan_auth_state_engine.c:2917): Trying to handle SAML/CAS message: <profile: "Duo SSO GlobalProtect", vsys: "vsys1", authd_id: 7172359225543230206 RelayState: "dffe2e79-365f-4d14-b8c3-6820522595ac" 14:51:09.306 -0800 debug: pan_auth_sql_clear_lock_expired_users(pan_authd_sqlite.c:3139): Locklist entries 0, not clearing
14:51:09.307 -0800 Authd in enum phase 4
14:51:09.307 -0800 Error: _get_saml_info(pan_authd_saml.c:595): Failed to find cert for in vsys 0
14:51:09.898 -0800 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for Duo SSO GlobalProtect-vsys1-mfa
14:51:09.898 -0800 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1068): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: Duo SSO GlobalProtect/vsys1)
14:51:09.898 -0800 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1079): MFA configured, but bypassed for GP user ''. (prof/vsys: Duo SSO GlobalProtect/vsys1)
14:51:09.898 -0800 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:571): This is a single vsys platform, group check for allow list is performed on "vsys1"
Any help in this regard would be appreciated.
Thanks.
09-07-2023 09:31 PM
@pharney26 Looks like downgrading to 10.2.4h3 fixes the issue but we only downgraded today. I will send an update here next week.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
