Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Global Protect user-pre-logon from Windows domain login first time user

L0 Member

I'm having an issue finding an all inclusive document that can help me validate my GP portal and gw config to allow new users who receive a domain joined laptop be able to log into the domain on receipt of the laptop


current gw is pre-login with on-demand

all laptop have machine cert installed from our domain

for purposes of the test I have a new user set up in AD that I use for a test (un-successfully to date)

I have set up my domain joined laptop and adjusted the PaloAlto registry entries to show pre-logon=1, user-sso=yes, showprelogonbutton=yes.


reboot the machine and I do get the GP logo with the connect/not connected verbiage.


My expectations are this

user gets to the Windows login screen

Selects the login method (Selects the GP icon)

user enters their username and password

user hits "Enter"/"Return"


nothing happens........(very frustrating)


I would have expected the laptop to reach out to the GP gateway, validated itself via the machine certs, then passed the user creds along to validate against Active Directory resulting in a subsequent successful user logon to the laptop.  At this point Windows will take over and start the new user setup (profile setup) that you get with any first time new user login to a windows machine.


The only thing that I can think of is that I have noticed in the past with the GP install that the username gets prepopulated with the domain\username configuration.  Our GP setup only required "username".  Using domain\username will cause an authentication failure.


I have no idea how to verify this and if this is indeed the case, how can I force GP to start-up using just the "username" and not "domain\username"


Any advice would be appreciated.



Who Me Too'd this topic