It looks like Global Protect is a hot issue and specifically in combination with prelogon functionality. We're also having a situation that appears to difficult to explain. The idea is: When handing out devices with global protect preinstalled and preconfigured in the windows registry. A receiving user who has never logged into that device should be able to do so with the help of global protect prelogon (creating a device tunnel before any user tries to log in to windows). From then on, the device should always try to setup a device tunnel when it is turned on. But it should use the device certificate to do so. For some unknown reason, with some of our users (yes not all !?!) at a certain moment something happens (yes very vague so far). The device will start trying to create a tunnel with seemingly user authentication (because 2FA request is triggered), before any user actually logs in to Windows. So, for some reason the agent is no longer trying to create a device tunnel with the device certificate. It is all of sudden trying to create a (prelogon) tunnel with user creds. Since the 2FA request is triggered, I assume that the username and password have been succesfully provided by saved credentials. Because the cookie lifetimes are configured so, they are no longer valid the next morning.
... View more