Having some trouble with a generalized single certificate (wanting to use as part of user/pass authentication) across multiple machines. Wanting to require this certificate be on a machine and the user enter their user/pass combination for authentication to portal/gateway (not user/machine specific cert). Not doing prelogon at this point. I can add this exported certificate into the Certificates (Local Computer) /Personal AND Trusted Root store ....all day long....and it makes no difference. I can even specify in the portal agent config to use 1.3.6.1.5.5.7.3.2 for an OID- and also ensure that both Client certificate store look up - both "user and machine" is set on the portal...still nothing. The only way I can get this to successfully work, is by placing the exported certificate into the Certificates -Current User - personal - store. ...then everything works perfectly. It's almost as if windows clients have issues accessing the machine store when a user is logged in? Anyone have experience with this, or something along these lines? Maybe @Mick_Ball answered part of this already below: https://live.paloaltonetworks.com/t5/General-Topics/Does-Pre-logon-for-Global-Protect-use-the-Computer-certificate/m-p/257139#M72945 MS seems to hint at the fact that any machine store cert in the trusted root will be mirrored to the current user store trusted root- but NOT the Current User Personal: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores "Be aware that all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores." Does a generic certificate have to be installed for every user under their current user personal certificate store?
... View more