Palo Alto Networks Knowledgebase: GlobalProtect Agent Prelogon Failing Even After Importing Private PKI Certificates

GlobalProtect Agent Prelogon Failing Even After Importing Private PKI Certificates

4096
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:44 PM
Resolution

Issue

The GlobalProtect agent prelogon fails even after the customer manually imports private PKI certificates on the local certificate store.

Attempting to connect the GlobalProtect agent prelogon will fail to connect because of the following error:

(T2796) 06/19/14 10:52:15:442 Debug(3233): Failed to pre-login to the portal <GATEWAY-IP-ADDRESS>. Error 12186

Cause

The issue may be caused by manually importing the private PKI certificates in a drag and drop fashion.

For example, on the Microsoft Management Console (MMC):

  1. Drag and drop machine-certificate to LOCAL-COMPUTER > Personal > Certificates
  2. Drag and drop root-CA-certificate to CURRENT-USER > Trusted Root Certification Authorities > Certificates
  3. Copy and paste root-CA-certificate to LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates

When manually dragging and dropping certificates, some certificate attributes/fields may be missing. Therefore, this is not a recommended procedure of installing certificates.

7777.png

Resolution

The correct way of importing certificates is either by a GPO install certificate or a manual install certificate.

The example below is from a Windows7 machine:

  1. Delete previous incorrect machine-certificate and root-CA-certificate on MMC.
  2. Right click LOCAL-COMPUTER > Personal > Certificates, All Tasks > Import, Import the machine-certificate.
  3. Right click CURRENT-USER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
  4. Right click LOCAL-COMPUTER > Trusted Root Certification Authorities > Certificates, All Tasks > Import, Import the root-CA-certificate.
  5. Uninstall GlobalProtect Agent.
  6. Re-Install GlobalProtect Agent, reconfigure GlobalProtect and connect.

owner: jlunario



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrlCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language