Changing between GlobalProtect Portals causes error "The Client Certificate Is Invalid"

Changing between GlobalProtect Portals causes error "The Client Certificate Is Invalid"

9643
Created On 01/11/21 20:17 PM - Last Modified 10/21/21 02:18 AM


Symptom


  • Changing between GlobalProtect Portal connections, occasionally users can see the error:
"Connection Failed. The client certificate is invalid. Please contact your IT administrator."
Client Certificate Invalid
 
  • When connected to the Portal and then changed to another and then back, this error can be seen despite the certificate being valid/not revoked and configured properly.

Environment


  • PAN-OS
  • GlobalProtect
  • Multiple Portals
    • Portal A: Certificate Profile enabled, App using User Store certificate, SAN certificate
    • Portal B: Certificate Profile enabled, App using Machine Store certificate, Subject used for certificate

Cause


In cases where different Portals are using Certificate Profiles, there is only one HKEY value for the certificate-store-lookup. If Portal A requires a valid certificate from the User store and Portal B requires a valid certificate from the Machine store, access may be blocked off from one Portal or the other as only the configuration of the certificate-store-lookup HKEY/plist value will be saved from the last accessed Portal config, not from each portal saved individually.
 

Resolution


Option 1: Remove Certificate Profile from the Portal and only use on Gateway
or
Option 2: Edit registry
  1. In Windows, open your Start Menu and type in "Registry Editor", or for Mac access your plist (Step 1 in both hyperlinks for access location)
  2. The setting for certificate-store-lookup should show the last accessed Portal's store lookup (LastUrl showing the last-accessed Portal)HKEY value in Windows showing the certificate-store-location setting
  3. If accessing a Portal that requires a certificate and the configuration is for either User or Machine specifically (default is user-and-machine) then this can be temporarily modified to either user-and-machine or to the specific store that needs to be accessed for a proper Client Certificate (user or machine, Data value should be in all lowercase)

Additional Information


For setting the Client Certificate Store Lookup via the Portal firewall's WebGUI, access Network > GlobalProtect Portals > Portal Name > Agent > App > Client Certificate Store Lookup
Location for setting Portal's Client Certificate Store Lookup
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCFJCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language