Microsoft Intune and Autopilot Hybrid AD Join via Prisma

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Microsoft Intune and Autopilot Hybrid AD Join via Prisma

L1 Bithead

We are having an interesting problem with current GlobalProtect PreLogon domain join.. 

We have a SCEP infra along with Prisma Global protect and pre-logon configured. We are able to complete a pre-logon and initiate a first login, which then takes us back to Autopilot screen a moment later. Problem is, when it goes back to Autopilot to complete the domain join, I can see with Alt+TAB that Global Protect is again prompting for user to log in and basically this step never finishes.. I am only able to push forward if I take over the autopilot process(multiple time press windows key) and do a login to GlobalProtect.

Anyone experienced anything similar?

8 REPLIES 8

Cyber Elite
Cyber Elite

This seems like the process in Deploy a New Device Using Windows Autopilot and Microsoft Intune . 

 

Have you enabled SSO as mentioned in User-Initiated Pre-Logon Connection ?

 

 

Other than that an upgrade of your globalprotect agent could help.

Cyber Elite
Cyber Elite

I also suggest seing How to force user credentials with valid client certificate whe... - Knowledge Base - Palo Alto Netw... and GlobalProtect Pre-logon using a machine certificate - PAN-OS 10.0.6 as if you are being promted for credendtials second time it could mean that the ca cert on Palo Alto gateway is not correct.

 

Also check that the AD also accepts the SCEP cert How to Configure Automatic Computer Certificate Enrolment in Windows Server 2016 / 2019 

Yeah, so first link is exactly the process we follow in this case ( I am not sure if second link is relevant, I think we already get to the right point). 

As I mentioned, we are able to make it through the first logon to GP (Attached) and then to domain. What happens then is machine does first logon "we are getting things ready for you", after which machine is taken back to Autopilot (A-pilot-joining-org.png screen) - joining your organization network and that part is taking forever. If I alt+tab at that point, I can see that Global Protect is AGAIN asking me to log in (Autopilot.png) and machine is not able to ping my domain. As soon as I press Win key multiple times and sign in to GP it takes me further, but ofc this will not be part of the official autopilot procedure 🙂 

Yes, I have configured SCEP and NDES before and this is one of the authentication factors. The other one is Entra user creds. 

If I remove SCEP profile from Autopilot group then user is not even able to get to credential screen

But are you expected to use the SCEP provided cert for the second logon so that there is no need for credentials and have configured machine cert logon with AD server on Palo Alto gateway and on the AD server ?

Please note that our SCEP is using AD CA and on prem NDES. So the SCEP cert comes from our internal PKI with the help of Intune ofc. 

I am actually trying to avoid second logon altogether and was hoping that after the initial logon (before domain join) the creds will be cached and no longer prompted for, just like on our regular AD joined (SCCM built) machines. In our GP profile we configure the combination of AD Machine Cert (OR SCEP Cert, they are equal in this case) + user creds

Yes, the fact is that after domain join, machine also gets an AD cert and I have noticed that after autopilot completes, gp, when I click on a tray icon prompts me to select the CERT to be used - AD or SCEP. 

 

Have you reviewed the links I did send for machine tunnel authentication ?  As shown in Configure a GlobalProtect Gateway "Allow Authentication with User Credentials OR Client Certificate " should be set to "YES" as the cert to only be needed for authentication but if the AD server for some reason does not like the cert it will ask for credentials, so check you AD server as well.

 

Check the globalprotect agent logs just in case How to Collect Logs from GlobalProtect 6.0 Clients - Knowledge Base - Palo Alto Networks

 

Outside of that as I did not see any article mentioning the cert being provided from Intune as the globalprotect portal can act as a scep client as shown in Deploy Certificates Using SCEP so that could be another option or if needed open a case as Deploy a New Device Using Windows Autopilot and Microsoft Intune option does not mention SCEP with Intune so this may not have been well tested.

yes, we did review this. Right now this is not something that we would be able to set in production as this would not pass the security review. Maybe we would need to set up a separate portal and gateway just for autopilot alone and then switch user back to production gateway once machine is onboarded.

 

Also something worth noting here. The original problem (where user has to re-connect after initial domain join) only occurs with later PaloAlto GlobalProtect versions. So version 6.2.4 to 6.2.7 all work fine( but have a separate issue), but starting with 6.2.8 this disconnect starts to happen up to 6.3.3.. So something has chnaged within the client as well

  • 1918 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!