I deployed the GP agent and user was authenticated by client certificate, most users wroks, but some users cannot pass the authentication and get the following error messages in PanGPA.log:
(T1356) 06/08/18 13:39:53:722 Info (2559): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000029E2C99C820)
(T1356) 06/08/18 13:39:53:722 Debug(2640): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12186, result=5, dwCertificateError=0
(T9076) 06/08/18 13:39:53:816 Info (1465): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR
(T9076) 06/08/18 13:39:53:816 Info (1032): Server cert query failed with error 12019
(T9076) 06/08/18 13:39:53:816 Error(1494): error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
(T9076) 06/08/18 13:39:53:816 Debug(1576): winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now
(T9076) 06/08/18 13:39:53:816 Debug(3610): winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000
GP agent is version 4.0.5, I also checked the certficate is fine and exported with private key, I also reinstall agent and certificate, even install newer GP agent version 4.0.8, but cannot fix it.
Does anyone know how to fix it? or have any suggestion for troubleshooting?
Firewall is running PAN-OS 7.1.15 and GlobalProtect agent 4.0.5 now, I had already opened a case but TAC think it is the operation system problem. All the issue computers are running Windows 10, client certificate is a sha256 (RSA 2048) self-signed certificate.
Thanks a lot and Best Regardss,