We have always used username & password for authenticating GlobalProtect (using the user's AD account/password). We always connect GlobalProtect AFTER signing on to Windows first. So how difficult would it be to have GlobalProtect simply query Windows for the user's current signed-on creds to use instead of manually typing them? Essentially something like SSO?
And is it possible to setup a 2nd gateway option for testing so we don't impact our current users? Basically, if users are connecting to vpn.contoso.com, we would create vpntest.contoso.com on the PA and use that to test this new configuration.
NOTE: I don't want to do pre-login or anything like that. And we don't have SAML as an option or AD Federated Services. Just a very basic Active Directory 2016 domain, a single Palo Alto Firewall and GlobalProtect 5.1.5 for Windows 10.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!