GlobalProtect Agent Prelogon Failing Even After Importing Private PKI Certificates
Resolution
Issue
The GlobalProtect agent prelogon fails even after the customer manually imports private PKI certificates on the local certificate store.
Attempting to connect the GlobalProtect agent prelogon will fail to connect because of the following error:
(T2796) 06/19/14 10:52:15:442 Debug(3233): Failed to pre-login to the portal <GATEWAY-IP-ADDRESS>. Error 12186
Cause
The issue may be caused by manually importing the private PKI certificates in a drag and drop fashion.
For example, on the Microsoft Management Console (MMC):
- Drag and drop machine-certificate to LOCAL-COMPUTER > Personal > Certificates
- Drag and drop root-CA-certificate to CURRENT-USER > Trusted Root Certification Authorities > Certificates
- Copy and paste root-CA-certificate to LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates
When manually dragging and dropping certificates, some certificate attributes/fields may be missing. Therefore, this is not a recommended procedure of installing certificates.
Resolution
The correct way of importing certificates is either by a GPO install certificate or a manual install certificate.
The example below is from a Windows7 machine:
- Delete previous incorrect machine-certificate and root-CA-certificate on MMC.
- Right click LOCAL-COMPUTER > Personal > Certificates, All Tasks > Import, Import the machine-certificate.
- Right click CURRENT-USER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
- Right click LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
- Uninstall GlobalProtect Agent.
- Re-Install GlobalProtect Agent, reconfigure GlobalProtect and connect.
owner: jlunario