I'm having an issue finding an all inclusive document that can help me validate my GP portal and gw config to allow new users who receive a domain joined laptop be able to log into the domain on receipt of the laptop current gw is pre-login with on-demand all laptop have machine cert installed from our domain for purposes of the test I have a new user set up in AD that I use for a test (un-successfully to date) I have set up my domain joined laptop and adjusted the PaloAlto registry entries to show pre-logon=1, user-sso=yes, showprelogonbutton=yes. reboot the machine and I do get the GP logo with the connect/not connected verbiage. https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-new-features/new-features-released-in-gp-agent-5_0/user-initiated-pre-logon-connection My expectations are this user gets to the Windows login screen Selects the login method (Selects the GP icon) user enters their username and password user hits "Enter"/"Return" nothing happens........(very frustrating) I would have expected the laptop to reach out to the GP gateway, validated itself via the machine certs, then passed the user creds along to validate against Active Directory resulting in a subsequent successful user logon to the laptop. At this point Windows will take over and start the new user setup (profile setup) that you get with any first time new user login to a windows machine. The only thing that I can think of is that I have noticed in the past with the GP install that the username gets prepopulated with the domain\username configuration. Our GP setup only required "username". Using domain\username will cause an authentication failure. I have no idea how to verify this and if this is indeed the case, how can I force GP to start-up using just the "username" and not "domain\username" Any advice would be appreciated.
... View more