02-23-2026 06:47 AM
Some of our IT team is beta testing Yubikeys for Windows Active Directory login. All the appropriate GPO's and CA templates have been created and just a small number of Yubikeys are setup for some IT people. While this works on the windows lock screen and a few other things we are testing like Entra Admin, etc... (plug in, type in pin, tap it, your in)... it created an unintended side effect for these people when logging into Global Protect.
Now when we log into global protect - mind you we are always on + SAML + DUO MFA every 14 days + Computer cert with custom OID that is specified in the GP config, once we hit the windows desktop and the GP tray icon loads in a few minutes - a new pop up appears. Says select the certificate to connect and secure access to your applications and the Internet. It shows any IT persons regular, admin account, that has ever touched your machine with a Yubikey. If I hit the X in the right corner, it goes away and I'm fine. If I dont touch antyhing and it times out - GP disconnects. If I pick one of the certs, it asks for my Yubikey pin and if I enter it, all is well.
Why is this popping up when we have a unique randomly generated OID cert template issuing machine certs that GP config is instructed to use? Why does it seem to be ignoring this?
If I run certlm.msc I see a cert that is my computername.domain.com issued by our Windows CA, GlobalProtect Certificate Template and under Enhanced Key Usage it has Client Authentication and GlobalProtect (a very LONG unique OID that is pasted into the GP portal config, and I verified this in my GP registry).
For my Yubikey I have a Yubikey Exportable Certificate template and for Enhanced key usage it has Smart Card Login and Client Authentication.
Now we are just in the very early stages of testing so if need be we can tweak the cert templates for Yubikeys.
02-23-2026 09:10 AM
We think its a bug becuase Client Authentication is also in the Yubikey cert, despite the custom cert OID being specified in Global protect. We are going to take Client authentication out of the Yubikey cert template and redeploy with just Smart Card Logon (1.3.6.1.4.1.311.20.2.2). Maybe that will help...
02-23-2026 11:03 AM
By reissuing Yubikey certs WITHOUT client authentication (just Smart Card Logon (1.3.6.1.4.1.311.20.2.2)) then cleaning up everywhere the certs are cached for Global Protect.... it now logs in normally, and yes Yubikey's still work to log into AD and unlock workstations.
So client cert was in
certlm.msc
current user certificate store
Admin User certificate store
Clear the registry "Previous Cert" in my HKCU profile (Since I chose one to make the prompt go away)
Then deleted the C:\users\%username%\appdata\Local\Palo Alto Network\*.dat and certificate.pem file.
Then net stop pangps && net start pangps no prompt. WHEW
That thing gets cached EVERYWHERE.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
