GlobalProtect with Kerberos SSO and Certificate Authentication fails with Error Message "Username in client cert is different from the input"

GlobalProtect with Kerberos SSO and Certificate Authentication fails with Error Message "Username in client cert is different from the input"

4290
Created On 04/08/24 08:03 AM - Last Modified 05/21/24 22:20 PM


Symptom


  • On Portal/Gateway, client authentication is set to User Credentials AND Client Certificate Required
  • Username Field in the Certificate Profile (Device > Certificate Management > Certificate Profile > [profile-name]) is set to Subject or Subject Alt (Email or Principal Name).
  • Client certificate attributes (Subject or Subject Alternative Name) has different value than Client attribute value in the TGS ticket.
  • User is unable to connect to GlobalProtect on the App with error message "Authentication Failed. Enter login credentials"
  • On GlobalProtect log in Portal/Gateway, we see authentication failure with error "Username in client cert is different from the input". For example:
image.png

Environment


  • Palo Alto NGFW Firewalls
  • GlobalProtect (GP) Portal or Gateway
  • Kerberos SSO authentication
  • Certificate authentication

Cause


  • When Username Field is set to Subject or Subject Alt and Client Authentication is set to User Credentials AND Client Certificate Required, username from Client attribute in the Kerberos TGS ticket and Client certificate attributes (Subject or Subject Alternative Name) is compared.
  • If they do not match, authentication fails with error message "Username in client cert is different from the input".

Resolution


  1. Set Username Field in Certificate Profile to None
  2. Commit the configuration.
  3. Now, GlobalProtect will use the username from "Client" attribute in the Kerberos TGS ticket.

Additional Information


  • Set up Kerberos Authentication
  • GUI Path for User Credentials AND Client Certificate Required
    • Network > GlobalProtect > Portals > <portal-config> > Authentication > Client Authentication > <client-authentication-config> > Allow Authentication with User Credentials OR Client Certificate (For Portal)
    • Network > GlobalProtect > Gateways > <gateway-config> > Authentication > Client Authentication > <client-authentication-config> > Allow Authentication with User Credentials OR Client Certificate (For Gateway)
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrKECA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail