Hi everyone,
I have a situation as described in the title of this post. As you probably know Global Protect installs his own Credential Provider in Windows which has to be chosen by the user. It is also possible to force the Global Protect Credential Provider, but the point is, it has to be used in order to enable single sign on for the user.
This now breaks the whole thing when combined with Windows Hello (Iris Scan, Fingerprint), because Windows Hello has his own credential provider. So in a default Global Protect configuration with pre-logon enabled (certificate profile and LDAPs authentication profile), either Global Protect single sign on or Windows Hello is working as expected:
- log in with GP CP: VPN single sign on is working but not Windows Hello
- log in with WH CP: Windows Hello is working but the user has to enter his credentials manually to Global Protect
To get the comfort of both worlds I was now thinking of a setup with the following requirements:
- Global Protect ONLY authenticates with a certificate profile
- User-ID Agents check Active Directory Logins for the VPN IP range
- Firewall is configured to get the User-to-IP mappings from the User-ID agent
- Firewall allows access to the AD (for logging in), antivirusupdates, windows updates to the pro-logon user
- all subsequent firewallrules are created for actual users, so they become "active" as soon the user-to-ip-mapping is known by the firewall
I have already tested this solution and it works as expected. Users can log in simply by "looking at their laptops" and there is no need to bother for reentering the credentials or making sure that Global Protect is set as default Credential Provider.
My question now for you all is: Am I missing some security issues with not using an authentication profile and relying on the login event in active directory?
Regards,
Remo
