Post-VPN Script Fails Due to Error 87

20211

Created On 09/16/20 18:22 PM - Last Modified 07/28/25 10:28 AM

Device Management

VPNs

8.1

8.0

9.0

9.1

9.2

10.0

GlobalProtect

Symptom

The following error messages present in the PanGPS.log:

(T5288) 08/11/20 09:21:44:714 Debug( 176): Run cmd "C:\Program" Files\Palo Alto Networks\GlobalProtect\VPNLogonScriptLauncher.exe in session 1 as user

(T5288) 08/11/20 09:21:44:721 Error( 270): WTSQueryUserToken failed. Error: 5

(T5288) 08/11/20 09:21:44:722 Error( 311): RunProcessIntoDifferentSession: failed to SetTokenInformation. Error: 1314

(T5288) 08/11/20 09:21:44:748 Error( 370): CreateProcessAsUser failed with value Error: 2

(T5288) 08/11/20 09:21:44:748 Error(3338): Failed to open process 0. Error 87

(T5288) 08/11/20 09:21:44:749 Error(3390): Failed to launch command. Error 1008. Command C:\Program Files\Palo Alto Networks\GlobalProtect\VPNLogonScriptLauncher.exe as user, timeout 0.

(T5288) 08/11/20 09:21:44:749 Debug(3393): Result is false for run command C:\Program Files\Palo Alto Networks\GlobalProtect\VPNLogonScriptLauncher.exe. as user, timeout 0

Environment

Existing GlobalProtect Infrastructure as mentioned here: GlobalProtect Administrator's Guide

Post-VPN script configured to run as mentioned here: Script Deployment Options

Cause

The root cause of this error is typically due to invalid parameters configured within the script. This could include anything from incorrect spelling, improper syntax, file location, etc.

Resolution

To ensure the script is able to execute properly, review the configuration to ensure it doesn't include common errors involving the correct spelling, syntax, and file location
The most common mistake made during configuration is the addition of leading spaces in the script
In this example, the customer configured the script file command as C:\Program Files\Palo Alto Networks\GlobalProtect\VPNLogonScriptLauncher.exe without using quotation marks to wrap the text
As seen below, this results in PanGP service parsing the information incorrectly:

(T5288) 08/11/20 09:21:44:714 Debug(3308): Full path is "C:\Program"

(T5288) 08/11/20 09:21:44:714 Debug(3313): Full command is "C:\Program" Files\Palo Alto Networks\GlobalProtect\VPNLogonScriptLauncher.exe

By wrapping the command with quotations such as "C:\Program Files\Palo Alto Networks\GlobalProtect\VPNLogonScriptLauncher.exe" within the command registry value, we can avoid the PanGP service improperly parsing the command and allow the command to successfully complete.

Additional Information