06-28-2022 07:45 AM
I am installing the GP client 5.2.11 on freshly imaged Windows 10 21h2 devices. Once the client is installed the users are not being logged in by SSO. In the logs it says that the SSO credential capture fails. It has worked previously with older GP clients and Windows versions so I cant figure out what has changed. Here is snippet of the GPS log:
(P3832-T976)Debug(2957): 06/28/22 10:08:18:726 No user, using SSO
(P3832-T976)Debug(10905): 06/28/22 10:08:18:726 Saved password is empty.
(P3832-T976)Debug(3017): 06/28/22 10:08:18:726 Portal gp.vdps.net, user , logonDomain VDPS, saved user , path C:\Users\16010\AppData\Local\Palo Alto Networks\GlobalProtect\
(P3832-T976)Debug(3083): 06/28/22 10:08:18:726 use proxy is 1
(P3832-T976)Debug(3141): 06/28/22 10:08:18:726 Pre-logon-then-on-demand value is no
(P3832-T976)Debug(1647): 06/28/22 10:08:18:726 SSO starts.
(P3832-T976)Info (1676): 06/28/22 10:08:18:731 SSO ----- PanCredGet failed with error Element not found.
(P3832-T976)Debug(1687): 06/28/22 10:08:18:732 SSO GetSsoCredential starts.
(P3832-T976)Info (1717): 06/28/22 10:08:18:733 SSO ----- PanCredGet failed with error Element not found.
(P3832-T976)Debug(10922): 06/28/22 10:08:18:733 SSO password is empty
(P3832-T976)Debug(3247): 06/28/22 10:08:18:733 Empty username
(P3832-T976)Debug(3279): 06/28/22 10:08:18:733 m_preUsername
(P3832-T976)Debug(10882): 06/28/22 10:08:18:733 Password is empty.
(P3832-T976)Debug(8121): 06/28/22 10:08:18:733 Empty user for GetCachedPortalCfgOldNewFileName
(P3832-T976)Debug(3300): 06/28/22 10:08:18:733 CheckCachedPortalForPrelogon 0, PrelogonNeedTimeout 0, RenameTimeout -1, userName ___empty_username___, preUsername
(P3832-T976)Debug(3478): 06/28/22 10:08:18:733 Use ssl tunnel is no
(P3832-T976)Debug(3488): 06/28/22 10:08:18:733 bCheckCachedPortalForPrelogon: 0, m_bOnDemand: 0
(P3832-T976)Debug(7068): 06/28/22 10:08:18:733 --Set state to Retrieving configuration...
(P3832-T8744)Info ( 127): 06/28/22 10:08:18:736 CheckPanGpAgentThread: started.
(P3832-T8740)Debug( 405): 06/28/22 10:08:18:754 HipMonitorThread wait for exit event.
(P3832-T976)Debug(13489): 06/28/22 10:08:19:781 Portal's ipv4 address 165.1.203.157
(P3832-T976)Debug(8223): 06/28/22 10:08:19:781 SSO enable status is 1, user name is ___empty_username___, domain name is .
(P3832-T976)Debug(1857): 06/28/22 10:08:19:781 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/5.2.11-10 (Microsoft Windows 10 Pro Education , 64-bit).
(P3832-T976)Debug(2361): 06/28/22 10:08:19:781 open http session. agent is PAN GlobalProtect/5.2.11-10 (Microsoft Windows 10 Pro Education , 64-bit)
(P3832-T976)Debug(1857): 06/28/22 10:08:19:781 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/5.2.11-10 (Microsoft Windows 10 Pro Education , 64-bit).
(P3832-T976)Debug( 469): 06/28/22 10:08:19:785 winhttp SetSecureProtocol, hSession=bedc9fe0, bAllProtocol=0, gbFips=0
(P3832-T976)Debug(1857): 06/28/22 10:08:19:785 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/5.2.11-10 (Microsoft Windows 10 Pro Education , 64-bit).
(P3832-T976)Debug( 469): 06/28/22 10:08:19:785 winhttp SetSecureProtocol, hSession=bed87fb0, bAllProtocol=0, gbFips=0
(P3832-T976)Debug(1782): 06/28/22 10:08:19:785 SetProxyForHost(https://gp.vdps.net/😞 timeout:5 AutoDetect:1 url: proxy: bypass: proxystr:
(P3832-T976)Debug(7116): 06/28/22 10:08:19:802 ----Portal Pre-login starts----
(P3832-T8716)Debug(5436): 06/28/22 10:08:19:802 CaptivePortalDetectionThread: IsDetectingCaptivePortal=1, PreLoginIsDone=0
(P3832-T8716)Debug(5413): 06/28/22 10:08:19:802 CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
(P3832-T976)Debug( 564): 06/28/22 10:08:19:819 Network is reachable
(P3832-T976)Debug(7150): 06/28/22 10:08:19:821 Pre-login...,verifyportalcert=yes
(P3832-T976)Debug(11319): 06/28/22 10:08:19:821 Check cert of server 165.1.203.157
(P3832-T976)Debug(11334): 06/28/22 10:08:19:823 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(P3832-T976)Debug( 788): 06/28/22 10:08:19:823 SSL connecting to 165.1.203.157
(P3832-T976)Debug( 564): 06/28/22 10:08:19:835 Network is reachable
(P3832-T976)Debug(1270): 06/28/22 10:08:19:920 Failed to X509_LOOKUP_load_file
(P3832-T976)Debug(1014): 06/28/22 10:08:19:920 Hostname gp.vdps.net matches sub alt name gp.vdps.net
(P3832-T976)Debug(1346): 06/28/22 10:08:19:920 OpenSSL alert write⚠️close notify
(P3832-T976)Debug(2819): 06/28/22 10:08:19:921 encpostdata, encpostdata=0000020BBF8D1610, encpostdatalen=192
(P3832-T976)Debug(2996): 06/28/22 10:08:19:921 REQID=1,IPADDR=gp.vdps.net,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=1,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=1,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=
(P3832-T976)Debug(1888): 06/28/22 10:08:19:921 Send response to client for request https_request
(P3832-T976)Debug(3106): 06/28/22 10:08:20:051 receive pan_msg_ping, 3
(P3832-T976)Debug(7274): 06/28/22 10:08:20:236 prelogin to portal result is
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><connected-ip>165.1.203.157</connected-ip><auth-api>no</auth-api><region>US</region>
</prelogin-response>
(P3832-T976)Debug(11581): 06/28/22 10:08:20:236 StopCaptivePortalDetection() captive portal detection is in progress
(P3832-T8716)Debug(5436): 06/28/22 10:08:20:236 CaptivePortalDetectionThread: IsDetectingCaptivePortal=0, PreLoginIsDone=1
(P3832-T8716)Debug(5413): 06/28/22 10:08:20:236 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(P3832-T976)Debug(7315): 06/28/22 10:08:20:236 REGION-PRIO, region code is US
(P3832-T976)Debug(13301): 06/28/22 10:08:20:237 REGION-PRIO, save region code US
(P3832-T976)Debug(7382): 06/28/22 10:08:20:237 Portal's saml default browser support = yes
(P3832-T976)Debug(7402): 06/28/22 10:08:20:237 Portal authentication-message is Enter login credentials
(P3832-T976)Debug(7418): 06/28/22 10:08:20:237 autosubmit is false
(P3832-T976)Debug(7431): 06/28/22 10:08:20:237 auth-api is no
(P3832-T976)Debug(7479): 06/28/22 10:08:20:237 Connected ip for portal 165.1.203.157
(P3832-T976)Debug(9092): 06/28/22 10:08:20:237 ----Portal Login starts----
(P3832-T976)Debug( 312): 06/28/22 10:08:20:237 No need to decrypt data with length 0
(P3832-T976)Debug(8121): 06/28/22 10:08:20:237 Empty user for GetCachedPortalCfgOldNewFileName
(P3832-T976)Debug(9132): 06/28/22 10:08:20:237 "___empty_username___" and empty cc user name and empty portal user auth cookie.
(P3832-T976)Debug(9135): 06/28/22 10:08:20:237 Set skip next switch off flag.
(P3832-T976)Debug(8454): 06/28/22 10:08:20:237 portal status is User authentication failed.
06-29-2022 03:12 AM
Maybe, you can try with GPv5.2.12.
For your info:
GPC-14943 | Fixed an issue where the GlobalProtect app connection failed after the app was upgraded to Windows 10 21H2. |
06-29-2022 12:47 PM
@emr_1 Thanks for the suggestion. Getting the same result with that version.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
