GlobalProtect client fails to connect with error "Unknown Server Certificate Error. Error 128"

• The GlobalProtect client fails to connect to the Portal or Gateway with "Unknown Server Certificate error" as below.

• The error could be for the portal /gateway or both depending upon the configuration where the client certificate authentication is required.

• Palo Alto Strata Firewall
• Supported PAN-OS
• GlobalProtect client using Client certificate for authentication on Windows OS.
• Prisma Access for Mobile Users

• This is caused by the inability of the GlobalProtect client to access the private key of the client certificate which is required for the TLS authentication.
• This could be an issue withe corrupted certificate on the Windows or an operating system(OS) level issue where the private key of the certificate is inaccessible even if it is included in the certificate.
• This can be further verified by the PanGPA logs .

(P15248-T15144)Error(2329): 05/27/22 20:21:37:378 error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
(P15248-T15144)Debug(2416): 05/27/22 20:21:37:378 winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now
(P15248-T15060)Debug( 408): 05/27/22 20:21:37:599 Receive gps message with type portal-certificate-verification.

//Truncated for Brevity 


	<portal-config-version>4100</portal-config-version>
	<error-must-show/>
	<error-must-show-level>error</error-must-show-level>
	<portal-status>Invalid portal</portal-status>
	<user-name>user.lastname</user-name>
	<username-type>sso</username-type>
	<state>Disconnected</state>
	<check-version>no</check-version>
	<portal>customer.gpcloudservice.com</portal>
	<discover-ready>no</discover-ready>
	<mdm-is-enabled>no</mdm-is-enabled>
	<error-code>128</error-code>

1. Reinstall the client certificate on the user machine.
2. Connect again and this time the authentication should go through.

• To reproduce the issue on the same client machine, Access the portal or gateway URL via Internet Explorer or Edge browser (in private mode) which will also fail due to this error. 
• If the certificate reinstallation does not fix the problem, upgrade the OS to latest patches.
• Verify that the client certificate has full certificate chain and is installed in the right folder (Personal>Certificates)
• Request the customer to perform additional OS level troubleshooting to find why the Globalprotect client isn't able to access the private key of the certificate.