GlobalProtect SAML authentication with Embedded Browser stuck after updating Adobe Acrobat Reader to version 21.001.20135

GlobalProtect SAML authentication with Embedded Browser stuck after updating Adobe Acrobat Reader to version 21.001.20135

25581
Created On 02/12/21 20:49 PM - Last Modified 05/06/22 20:49 PM


Symptom


Adobe Acrobat Reader update - version 21.001.20135 is breaking SAML authentication process and causing GlobalProtect connection to fail. Once user inputs their credentials on the embedded browser, SAML authentication window gets stuck in connecting state and the GlobalProtect App shows an error message (as shown below) regarding an Adobe plug-in.
 
GP error Adobe

Adobe Error

(Note: Error message doesn't popup automatically. User will have to hover over the GP icon on the taskbar to see the error message).
  
   

Environment


  • GlobalProtect App Version: Any
  • Authentication method: SAML
  • Browser used for SAML Authentication: Embedded
  • Adobe Acrobat Reader Version: 21.001.20135
  • OS: Windows Endpoints
Note: This also applies to GlobalProtect clients connecting to Prisma Access.

 

Cause


This issue is NOT caused by GlobalProtect app. Adobe Acrobat Reader's update 21.001.20135 installs Plugins in the browsers. But, this new plugin is not supported by the embedded browser which is used by GlobalProtect App for SAML authentication. As a result, SAML authentication breaks causing GlobalProtect App connection to fail. Other VPN providers are also facing a similar issue. You can see discussions around this on Adobe community in the following links:

https://community.adobe.com/t5/acrobat-reader/bug-version-21-001-20135/td-p/11821802
https://community.adobe.com/t5/acrobat-reader/adobe-acrobat-reader-21-001-20135-preventing-users-to-connect-to-global-protect/td-p/11823885

  

Resolution


Adode has fixed this issue with a hotfix release 21.001.20138. For more details, refer to this link

If you are unable to upgrade Adode Acrobat Reader version to 21.001.20138, you can use the workarounds listed below to resolve this issue.
  1. Downgrade Adobe Acrobat Reader to the previous version. 
  2. Disable Adobe PDF reader Plugin from the IE browser. To do that, go to Internet Explorer and then settings > manage adds-on then choose All Add-ons and choose Adobe PDF Reader and right click on it then click on disable to disable it.
 Disable Adobe PDF reader
  1. Use the Default System Browser (like Chrome, IE, Firefox, etc) for SAML authentication, check this link for more detail. This feature is supported on GlobalProtect App version 5.2.0 or later and PAN-OS 8.1.17, 9.0.11, 9.1.6, and 10.0.0 or later with Content Release version 8284-6139 or later.
 

Additional Information


Contact Palo Alto Networks Support team if you have additional questions.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCsVCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language