Can a Common Acces Card authentication used for GlobalProtect User Logon (Always On)?

Can a Common Acces Card authentication used for GlobalProtect User Logon (Always On)?

3511
Created On 12/11/20 14:19 PM - Last Modified 07/26/23 21:14 PM


Question


If Global Protect Always On is configured using a certificate and a smart card as authentication methods, is it possible for the end-user to only enter the PIN once upon the windows logon screen?
 

Environment


  • Windows endpoints only
  • GlobalProtect Agent versions older than 6.0
  • Global Protect configured with a certificate and a smart card as authentication methods
  • The User using CAC (Common Access Card) to logon to  Windows 10
  • Windows boots up and connects to Global Protect and the user would only enter the  PIN once ( the PIN would only be entered upon the windows logon screen)

Answer


  1. For GlobalProtect versions less than 6.0, this is not possible, as Global Protect SSO (Single Sign On)  only works for username/password, not  a smart/CAC card 
  2. For GlobalProtect version 6.0 and Content Release version 8451-6911 and later Refer Single-sign-on-sso-using-smart-card-authentication.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBvnCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language