Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

GlobalProtect SCEP NDES Dynamic Challenge Failure

L0 Member



I have been attempting to get GlobalProtect configured with SCEP for many days without success.  The issue I am facing occurs when I have the SCEP Challenge set to "Dynamic" under "Certificate Management" (on the firewall), which is what I am wanting.  But when using the dynamic challenge, the GP clients fail to retrieve a SCEP certificate. 


The PA’s SCEP configuration and the automatic SCEP CA certificate retrieval from the root CA are working as intended.


The SCEP server appears to be fine as well.  I am access and authenticate to the SCEP server using both the http(s)://<FQDN>/CertSrv/mscep_admin/ and http(s)://<FQDN>/CertSrv/mscep/ URLs via a web browser. 


However, when the GP client attempts to request a SCEP cert, I see the following errors in the GP logs:

Debug(8547): GetScepCert...

Debug(8571): GetHttpResponse()...

Debug( 878): PrepareRequest...

Debug( 886): WinHttpOpenRequest...

Debug( 441): CPanHTTPSession::PostRequest: WinHttpSendRequest...

Debug( 452): bResults=1, g_dwStatus = 00000000

Debug( 673): Server cert chain has been created.

Debug( 687): Server cert verification passed

Debug( 711): Check server certificate revocation returns TRUE

Debug( 473): CPanHTTPSession::PostRequest: WinHttpReceiveREsponse...

Debug( 485): CPanHTTPSession::PostRequest: WinHttpQueryHeaders...

Debug(1089): m_bUserAuthentication is set to true.

(Debug( 368): Content-length: 163

Info (1099): download data success

Debug(8778): SCEP response status is error

Debug(8782): SCEP response msg is: Unable to generate client certificate

Debug(8533): GetScepCertFromPortal failed

Debug(8483): SCEP retry


I have tested using a “Fixed” password in the SCEP Configuration just to see if there was any difference in the behaviour, and the GP client was able to retrieve a SCEP certificate, so it seems there is an issue with the Dynamic password challenge.  As mentioned, I am able to authenticate to the SCEP/NDES server via a web browser using both HTTP and HTTPS, and have a different enrollment challenge password generated for each request.


On the Windows server side, The IIS logs are showing that the request is being denied with a 401 error (authentication).  I have attempted to implement MANY different recommendation from days of searching and testing.  These include disabling UAC, checking the template/IIS application permissions, and moving NTLM authentication above Authenticate in the IIS Windows Authentication Providers list.  I have even completely reinstalled and reconfigured the AD CS components, but I am still experiencing the same issue.


Below are the errors from the IIS logs:

DC01 GET /CertSrv/mscep_admin/ - 80 – HTTP/1.1 - - dc01. 401 1 3221225581 0

DC01 GET /CertSrv/mscep_admin/ - 80 – HTTP/1.1 - - dc01. 401 2 5 0


Below are the errors from the sslmgr.log on the PAs: 

Authenticating SCEP Auth cookie in request

Error:  pan_scep_get_challenge(pan_scep.c:143): Unable to get OTP from SCEP server, SCEP server might not have OTP enabled :

Error:  pan_scep_get_client_cert(pan_scep.c:316): pan_mdm_get_scep_challenge() failed Unable to get OTP from SCEP server

Error:  sslmgr_scep_generate_client_cert(sslmgr_scep.c:503): pan_scep_get_client_cert() failed

Error:  sslmgr_scep_process_msg(sslmgr_scep.c:654): scep client cert could not be generated : Unable to get OTP from SCEP server


I’m guessing the issue has to do with the PAs attempting to pass the authentication credentials in a way that is not expected by the SCEP server.  I can even see that the SCEP service account being locked out occasionally from the failed attempts.  I have triple-checked the SCEP service account credentials on the PAs, but they must be correct as the PAs are able to retrieve the SCEP CA certificate using the SCEP Configuration.


I'm at a loss.  Any assistance would be appreciated!

Who Me Too'd this topic