About Someonesomeone

Thank you again Robert,   You are amazing!   I think we got the Azure error resolved before i went on vacation, but this will be great to compare a working config with what we have.    Latest question that came up: Since the GlobalProtect client does enforcement for non-http/https traffic, what happens if a computer don't have the GlobalProtect Client or it is disabled?   We want to make sure that the resources are still protected.   Thank you so much, Chris  ... View more

Hi Robert, That is good to know that you see the same behavior, but it works.   I was seeing the exact error, getting the Protected Resource message and then clicked authenticate.  I think last I tried it I still had the Azure error, so I don't think I was authenticating.   We resolved the Azure error just before I went on vacation, but have been unable to do further testing since.  Thank you so much for confirming that you are able to do the RDP.   Sites that are https:  do they work for you with captive portal?  we don't have ssl decryption in place, so I'm wondering if that is the cause.  The block-continue response pages don't show up for us for https sites but they do for http, which i think is due to us not having ssl decryption in place.  I have read that if you have decryption you need to do ssl decryption forward proxy for it to work.  I'm just wondering if you had problems with https sites.   I'm just wondering what your experience has been with https sites.   Thank you so much for your help! Chris ... View more

Hi Robert,   Glad to know that document still applies.  I did skip step 3 and was thinking hmm... maybe this isn't possible.   Still getting the error, but I have two tickets in with support and hopefully at least one of them can help me figure that out.   Thanks to your help, I finally got the GlobalProtect Protected Resource message to pop up that I've been trying to trigger.  I have a couple of test auth rules.    The one i triggered the GlobalProtect message was for RDP session to specific host. When I try to connect I get "An internal error has occurred" Remote Desktop Connection dialog box.  Then the GlobalProtect message that has the authentication button which takes me to captive portal in browser window and i get the AADSTS700016 message (which I expect at this point).      Question for you:  Are you using this to control RDP sessions?  The "An internal error has occurred" has me concerned that it may not work if the session times out before it can authenticate.   Another question:  How do you get https to trigger authentication, do you have to have ssl decryption in place?   I greatly appreciate your help!   Thanks, Chris ... View more

@RobertShawver getting close, but not there yet.  Browser based applications I get redirected over http to azure, but after trying to authenticate i get AADSTS700016 Application with identifier 'https://cp.domain.com:6082/saml20/sp' was not found in the directory...   Also, not getting the notification from GlobalProtect when attempting non-browser based.   Appreciate any help.    Thanks,  Chris ... View more

Thank you RobertShawver!  I appreciate the help.  When you mentioned adding new captive portal to portal agent configuration, where do i put that?  Is that under the App tab of the portal agent configuration?  My guess is under trusted MFA Gateways as described in Step 6, item 3,  from the following document:  Configure GlobalProtect to Facilitate Multi-Factor Authenti... (paloaltonetworks.com)      Piecing things from different places.   Another question:     server.mfa.company.com, does that have to externally resolve?  The azureadminblog post seemed to indicate you only need internal, but someone told me it needs to be external for azure to talk to it.   Thanks ... View more

@RobertShawver Did you ever get success with this?  I am trying to set this up as well. ... View more