GlobalProtect Pre-Logon Prompting for User Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Pre-Logon Prompting for User Certificate

L3 Networker

We have GlobalProtect Pre-Logon working with machine certificates however once the user logs into their laptop they are also prompted with thier User Certificate each time. There internal CA does issue machine and user certificates. Is there a way to disallow the User certificate prompt? Do we need to also use User certificates along with machine certficicates? Verion is 10.0.7 and GP 5.2.7

PCNSC, PCNSE
8 REPLIES 8

L7 Applicator

What setting do you have in the user portal config for certificate lookup.  If both user and machine try setting to just user.

L2 Linker

You need to ensure the portal and gateway URLs are added to your trusted/Intranet sites in IE and ensure this setting is enabled.

 

rajjair_0-1635210947511.png

 

For Edge and Chrome you need to configure "AutoSelectCertificateForUrls" to avoid the pop-up

 

Microsoft Edge Browser Policy Documentation | Microsoft Docs

 

This looks similar to an issue we are seeing on our Win 11 intune build and the Hello for business cert, we have added the urls and the cert to use and are able to browse to the page in a web browser without being prompted. If we remove the WHFB cert the device does not prompt. do we need to add to the ie trusted sites and enable the dont prompt for client certificate selection?

 

Any help or advice would be much appreciated

L1 Bithead

I have the same question. We are in the process of deploying Windows Hello for Business authentication certificates which need to be in the UPN format. The PaloAlto Global Protect Client needs the user authenticaiton certs in the CN format. The issue we are seeing is that now Global Protect is prompting for which certificate to use because there are now two authentication certificates in the users personal store. How to we force GlobalProtect Client to connect and use a certificate without prompting in the client? Is there a way to tell the GlobalProtect Client to use a certain certificate in the registry?  

 

@rheinrich,

The easiest way to do this is to use a custom OID for the GlobalProtect certificates so that you can automatically select the proper certificate based on the OID value. That will have it default to the proper certificate without prompting for selection.

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client...

Thank you for this info. Will try this approach. Have a great day!

So you know this approach does work if you are only publishing one certificate for the user. and one for the machine. We created one for the machine with a unique OID for prelogon purposes. Then we created another for the user with a unique OID for user logon purposes. The User Auth Certificate had client authentication purpose and enrolls into the Software Key Storage provider. Things were working fine and Global Protect was selecting the proper certificate to authenticate depending on the prelogon and logon states. With Windows Hello, we had to enroll a certificate into the Windows Hello for Business Certificate Keystore for Remote Desktop Services to work using Biometric, Pin, or Fingerprint. This certificate does not have an OID and has client authentication purposes. Technically speaking the WHFB certificate should be completely ignored when Global Protect is connecting because it does not hava an OID. Both of these Certificates appear in the User's Personal Certificate store in Windows. What we are finding is that Global Protect still presents the user for Certificate selection when connecting. Global Protect, searches all Certificates and if there are multiple that have the Cliient Authentication Purpose, it prompts the employee and does not honor the OID. To me this is a GP bug, because Global Protect should use its conifguration stating to look for the OID to connect automatically and not prompt the user. We have tried to change to SAML SSO Authentication and get the exact same thing with the certificate selecting promting to the user. The challenge is that we need both of the user certificates. I do think that Palo Alto should fix this as more and more people are migrating to Passwordless solutions. 

Do you have a doc you followed to get this working?

 

I have been fighting with the prelogon and userlogon certs. Prelogon works fine, but the minute it goes to userlogon it errors out with invalid cert. Turns out it's trying to use the machine cert to do a userlogon. I have tried a ton of different settings and cannot figure this out.

  • 5158 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!