04-10-2018 03:42 PM - edited 04-11-2018 07:44 AM
Hi,
I have been attempting to get GlobalProtect configured with SCEP for many days without success. The issue I am facing occurs when I have the SCEP Challenge set to "Dynamic" under "Certificate Management" (on the firewall), which is what I am wanting. But when using the dynamic challenge, the GP clients fail to retrieve a SCEP certificate.
The PA’s SCEP configuration and the automatic SCEP CA certificate retrieval from the root CA are working as intended.
The SCEP server appears to be fine as well. I am access and authenticate to the SCEP server using both the http(s)://<FQDN>/CertSrv/mscep_admin/ and http(s)://<FQDN>/CertSrv/mscep/ URLs via a web browser.
However, when the GP client attempts to request a SCEP cert, I see the following errors in the GP logs:
Debug(8547): GetScepCert...
Debug(8571): GetHttpResponse()...
Debug( 878): PrepareRequest...
Debug( 886): WinHttpOpenRequest...
Debug( 441): CPanHTTPSession::PostRequest: WinHttpSendRequest...
Debug( 452): bResults=1, g_dwStatus = 00000000
Debug( 673): Server gp.domain.com cert chain has been created.
Debug( 687): Server gp.domain.com cert verification passed
Debug( 711): Check server certificate revocation returns TRUE
Debug( 473): CPanHTTPSession::PostRequest: WinHttpReceiveREsponse...
Debug( 485): CPanHTTPSession::PostRequest: WinHttpQueryHeaders...
Debug(1089): m_bUserAuthentication is set to true.
(Debug( 368): Content-length: 163
Info (1099): download data success
Debug(8778): SCEP response status is error
Debug(8782): SCEP response msg is: Unable to generate client certificate
Debug(8533): GetScepCertFromPortal failed
Debug(8483): SCEP retry
I have tested using a “Fixed” password in the SCEP Configuration just to see if there was any difference in the behaviour, and the GP client was able to retrieve a SCEP certificate, so it seems there is an issue with the Dynamic password challenge. As mentioned, I am able to authenticate to the SCEP/NDES server via a web browser using both HTTP and HTTPS, and have a different enrollment challenge password generated for each request.
On the Windows server side, The IIS logs are showing that the request is being denied with a 401 error (authentication). I have attempted to implement MANY different recommendation from days of searching and testing. These include disabling UAC, checking the template/IIS application permissions, and moving NTLM authentication above Authenticate in the IIS Windows Authentication Providers list. I have even completely reinstalled and reconfigured the AD CS components, but I am still experiencing the same issue.
Below are the errors from the IIS logs:
DC01 1.1.1.1 GET /CertSrv/mscep_admin/ - 80 – 2.2.2.2 HTTP/1.1 - - dc01. domain.com 401 1 3221225581 0
DC01 1.1.1.1 GET /CertSrv/mscep_admin/ - 80 – 2.2.2.2 HTTP/1.1 - - dc01. domain.com 401 2 5 0
Below are the errors from the sslmgr.log on the PAs:
Authenticating SCEP Auth cookie in request
Error: pan_scep_get_challenge(pan_scep.c:143): Unable to get OTP from SCEP server, SCEP server might not have OTP enabled :
Error: pan_scep_get_client_cert(pan_scep.c:316): pan_mdm_get_scep_challenge() failed Unable to get OTP from SCEP server
Error: sslmgr_scep_generate_client_cert(sslmgr_scep.c:503): pan_scep_get_client_cert() failed
Error: sslmgr_scep_process_msg(sslmgr_scep.c:654): scep client cert could not be generated : Unable to get OTP from SCEP server
I’m guessing the issue has to do with the PAs attempting to pass the authentication credentials in a way that is not expected by the SCEP server. I can even see that the SCEP service account being locked out occasionally from the failed attempts. I have triple-checked the SCEP service account credentials on the PAs, but they must be correct as the PAs are able to retrieve the SCEP CA certificate using the SCEP Configuration.
I'm at a loss. Any assistance would be appreciated!
