Hi, We are trying to setup always on + Pre-Login with Machine cert which generated by Microsoft PKI and distributed by GPO when user turned on the machine . Then, when user login to the machine, it will use windows logon with SSO. Like this KB. https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon We confirmed a machine cert exists correct location on the Windows machine. Also, we imported the Microsoft Root cert on to Palo Alto. And we configured Portal and Gateway like KB exception is we are using MS PKI. When we login and log off from user, it will switch successfully switch to Pre-Logon. However, when we reboot the machine, Global Protect won't connect automatically with pre-logon. Global protect is disconnected until user login. It seems the cert is the issue. So far, we found out that if we create Palo Alto generated cert and export the cert with private key, and then import the cert to Windows machine, it will work as expected. We noticed that the main difference between the two is that Palo Alto generated cert has a private key embedded within the machine cert. However, Microsoft auto generated machine cert doesn't have a private key within the cert. If you see at the end of KB, it mentioned "make sure a. it has private key". Is the private key within the machine cert requirement? If so, what is the technical reason? How can we generate a machine cert with a private key by Microsoft PKI? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0 6. Once imported, double click the imported machine certificate to make sure a. it has private key b. its certificate chain is full upto its root CA. If the chain is missing root CA or intermediate CA, import them to their respective folders as explained in Step 5.
... View more