This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Machine Certificate Check/ Not working for me

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Machine Certificate Check/ Not working for me

Go to solution
asiewert
L1 Bithead

‎05-22-2024 08:30 AM

Goal:

When a user connects to the Globalprotect Portal it will authenticate using the LDAP authentication profile, and check for the presence of a certificate on the device.

 

If the device(in my case I'm only going to use Windows 10 PCs) does not have the certificate, the authentication will fail.

 

What I've done so far:

  • The LDAP authentication profile works as expected. 
  • Created a new RootCA from the firewall, created an IntermediateCA signed by the RootCA, and created a "machinecert" signed by the IntermediateCA
  • Created a Certificate Profile 
    • asiewert_0-1716391538482.png
  • Within the portal configuration authentication tab, I added the newly created certificate profile. Note that the certificate profile only has the rootca and intermediate certs, not the machinecert.
  • Under the portal Agent tab, agent config, the settings for save user credentials are set to No and no cookies are used.
  • asiewert_1-1716391699348.png

     

The problem:

 

  • I can log into globalprotect with or without the certificates installed on my laptop using the settings above. 
  • I may be missing something obvious, or completely misconfigured this for what I want.

I would appreciate some help or guidance on how to correct the config, or change it to meet the goal above. Thank you for your help! Let me know if you guys need further information.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
asiewert
L1 Bithead
In response to SirchRettop

‎05-23-2024 12:45 PM

This problem was user error, me.

 

I did not realize I had installed the machinecert in the personal certificate store. That's why it kept on connecting even when I removed the certificates from the computer certificate store. Globalprotect is set on default to check both the user and computer certificate stores. Doh!

View solution in original post

3 REPLIES 3

Go to solution
kiwi
Community Team Member

‎05-23-2024 03:30 AM

Hi @asiewert ,

 

Just a quick check, did you by chance "Allow Authentication with User Credentials OR Client Certificate" ?

 

kiwi_1-1716460105323.png

 

 

If you select No, users must authenticate to the gateway using both user credentials and client certificates. If you select Yes, users can authenticate to the gateway using either user credentials or client certificates.

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
SirchRettop
L2 Linker

‎05-23-2024 10:43 AM - edited ‎05-23-2024 10:48 AM

Hi @asiewert , 

 

if you are looking to use the client/machine certificate for additional authentication to ldap, where have you installed this client/machine certificate? the client/machine certificate will need to be installed on the device requiring remote access. Then a check will be performed to see if this client certificate has been signed by the CAs in your certificate profile.

 

Try installing the certificate into the "Personal" folder of either the Local Computer or Current User cert store and test authentication again.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-user-authenti... 

 

https://www.youtube.com/watch?v=TFstISND5PE (details the creation and export of a client certificate with public/private key pair)

 

SirchRettop_0-1716486064937.png

 

(1)

Go to solution
asiewert
L1 Bithead
In response to SirchRettop

‎05-23-2024 12:45 PM

This problem was user error, me.

 

I did not realize I had installed the machinecert in the personal certificate store. That's why it kept on connecting even when I removed the certificates from the computer certificate store. Globalprotect is set on default to check both the user and computer certificate stores. Doh!

  • 1 accepted solution
  • 2320 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks