06-26-2017 06:39 AM
PANOS 8.0.2
GlobalProtect 4.0.2
Client Windows 10 Enterprise x64
We currently use Microsoft DirectAccess for all our Windows clients
The Big plus of DirectAccess is that it works pre-logon and is completely seamless for the end-user, but it is Windows only, speed is not good and troubleshooting issues my be cumbersome.
Therefore we are looking into replacing DirectAccess with GlobalProtect.
A large part of the requirements is met with GP, but we also want to make it as seamless as DirectAccess currently is for our end-users is (read: Always on and no end-user action required at all)
As authentication method we are using the Pre-logon then On-Demand Connect Method and we want to use single sign-on (SSO)
Pre-logon then On-Demand works, but we are having some challenges with the SSO part.
Our users all logon on their Windows 10 laptop with their domain UPN (user@domain.com) which is the same as their primary mail address.
If we want SSO to work then the GlobalProtect client needs to be the default credential provider. Problem with this is that this logon method expects the user to logon with their pre-windows 2000 logon name (samaccountname) which uses the format DOMAIN\username.
This is a problem for us. Most users don't even know their pre-windows 2000 logon name and we don't think this legacy method is the way forward.
If we don't set the GlobalProtect client as the default credential provider then the user is able to login with his UPN, but when GP switches from Pre-logon to On-Demand then the GlobalProtect client pops up asking for credentials. This authentication does accept the user UPN. This authentication is then cached by the GP client so next logon is more seamless, but it will break again when the user changes his password.
Is it possible to let the GlobalProtect default credential provider accept the UPN instead of the pre-windows 2000 logon name ?
