How to resolve WinHTTP errors with GP client certificate authentication
22781
Created On 10/29/20 22:10 PM - Last Modified 11/09/20 21:43 PM
Symptom
GlobalProtect authentication fails with the following WinHTTP error in PanGPA.log:
ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
Environment
- GlobalProtect Infrastructure
- Windows Environment
Cause
This issue typically occurs when PanGPA searches for the client certificate in the user store and finds it but does not have access to the private key.
Please refer to the Microsoft documentation for these error messages: https://docs.microsoft.com/en-us/windows/win32/winhttp/error-messages
Resolution
- Make sure ‘Network Service’ has permissions to read the private key. Those permissions are assigned using Certlm.msc, by selecting the certificate and selecting ‘All tasks, Manage private keys’ from the context menu.
- This issue can also be avoided if the client certificate is fetched from the machine store instead of the user store using the the portal configuration or the Windows registry. That's because user account sometimes may not have the necessary permissions to access the private key.
Note: Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings > certificate-store-lookup=machine
- Additionally, if the client certificate is not imported to the certificate store with a private key, PanGPA.log will show the following error: ERROR_WINHTTP_CLIENT_CERT_NO_PRIVATE_KEY
- To resolve this, make sure the certificate is imported with the private key. If generated on the firewall, export the certificate with the private key in PKCS12 format which will include the private key.