GlobalProtect failed to connect - required client certificate is not found

GlobalProtect failed to connect - required client certificate is not found

107519
Created On 09/26/18 13:47 PM - Last Updated 07/24/20 16:57 PM


Symptom

 

You have configured your portal and gateway to use the authentication profile and certificate profile 2 factor authentication, but you see the below error message in the status page of the GlobalProtect client when try to connect the GlobalProtect on the client computer:

"Required Client Certificate is not found"

 

You may also see this error message in the PanGP Service Log:

Debug(3624): Failed to pre-login to the portal XX.XX.XX.XX. Error 0

Debug(1594): close WinHttp close handle.

Debug(3588): prelogin status is Error

Error(3591): pre-login error message: Valid client certificate is required

Debug(1594): close WinHttp close handle.

Debug(4213): portal status is Client Cert Required.

Debug(3697): Portal required client certificate is not found.



Environment
  • Palo Alto Networks Firewall
  • GlobalProtect Infrastructure


Cause
  • These errors occurs because there is no correct/valid certificate found on the client's computer.


Resolution

You have 3 options when implementing certificate-based client authentication for your GlobalProtect environment.

  1. Shared client certificates - each endpoint uses the same certificate to authenticate; it can be locally generated or imported from trusted CA. Please note that this certificate would be installed in the user certificate store only. Machine certificates (that need to be imported in machine certificates store) cannot be pushed from portal. 
  2. Unique client certificates - requires either the implementation of a SCEP server on your network or use of an internal PKI to deploy them individually to each machine through GPO or using other device management systems
  3. Machine certificates - used with the Pre-Logon connect method to authenticate the device rather than the user 

The certificate imported to the client machine(s) may or may not be signed the same root CA which signed the 'Server Certificate' in the Portal/Gateway settings. However, please ensure the appliance has the full CA certificate chain of trust imported on the user's machine: i.e Root + Intermediate (if applicable) CAs.

Note: The client certificate will be indented under the root CA when viewing from the Device > Certificates in the GUI.

In cases of self-signed certificates, the certificate will need to be imported to the trusted root CA.

  • For instructions of how to import the certificate to the client computer using shared certificates, please follow the directions mentioned here.
  • For instructions of how to import the certificate to the client computer using unique certificates, please follow the directions mentioned here.
  • For instructions of how to import the certificate to the client computer using machine certificates, please follow the directions mentioned here


Additional Information
For additional documentation regarding certificates and their use within the GlobalProtect environment, please refer to the following documents:
 

How Does the App Know Which Certificate to Supply?

Set Up Client Certificate Authentication
 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClolCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language