Palo Alto Networks Knowledgebase: GlobalProtect failed to connect - required client certificate is not found

GlobalProtect failed to connect - required client certificate is not found

42228
Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:45 PM
GlobalProtect GlobalProtect cloud service
Resolution

 

Issue

You have configured your portal and gateway to use the authentication profile and certificate profile 2 factor authentication, but you see the below error message in the status page of the GlobalProtect client when try to connect the GlobalProtect on the client computer:

"Required Client Certificate is not found"

 

You also see this error message in the PanGP Service Log:

Debug(3624): Failed to pre-login to the portal XX.XX.XX.XX. Error 0

Debug(1594): close WinHttp close handle.

Debug(3588): prelogin status is Error

Error(3591): pre-login error message: Valid client certificate is required

Debug(1594): close WinHttp close handle.

Debug(4213): portal status is Client Cert Required.

Debug(3697): Portal required client certificate is not found.

 

Solution

These errors occured because there is no correct/valid certificate in the client computer.

The certificate imported to the client machine must match with the 'Server Certificate' in the portal and gateway setting.

In cases of self-signed certificates, the certificate will need to be imported to both personal and trusted root CA.

For instructions of how to import the certificate to the client computer, please click here and refer to step #2.

 

Follow these instructions to import the certificate in P12 format to the client computer (Windows Machine):

 

  1. Click Start > Run mmc.
  2. Click File > Add/Remove Snap-In.
  3. Select Certificate and click Add, and select Computer Account.
  4. Click OK.
  5. Now you can import the Certificate to 'Personal' and 'Trusted Root CA.'


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClolCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language