08-12-2019 01:27 PM
Hey all,
Recently upgraded to PAN-OS v9.0.3 and GlobalProtect is no longer working for some. Error messages in the system logs are showing GlobalProtect portal client configuration failed... Machine Certificate CN: (null) for those that fail but also Machine Certificate CN: (just a blank here) for those that are successful. This is intermittent and is affecting roughly 25% of our corporate users.
I'm guessing "Machine Certificate" is a general term PA uses since there is no mention in the system logs of a "Client or User Certificate". We employ user certificates, not machine certificates. We have our portal configured to use User Certificates. We also have our Gateway and Portal configured to "Allow Authentication with user credentials OR Client Certificate". This only works IF we delete the client certificate on the endpoint, then they are able to login using only credentials. If we leave it in the OR position it seems to ignore the or and automatically fail with user credentials alone.
Our certificate profile is setup to use the Subject Alt. Name / Principal Name for the username, which matches what's contained within the certificate which matches LDAP / AD.
We do have a case open with Palo Alto. 1st response was that the CN can no longer be null - our logs say different, and the 2nd response was to try an older GP Agent, which we're in the process of.
We've tried deleting the certificate on the failing client machines and re-issuing them - this doesn't work.
A couple of our clients that were originally experiencing issues magically started working.
Just wondering if anyone else has encountered something similar and / or has any suggestions.
Thanks,
cfowler
