GlobalProtect Mac Client Connection Failed with Error "Could not connect to the authentication server."

GlobalProtect Mac Client Connection Failed with Error "Could not connect to the authentication server."

20952
Created On 02/12/21 21:54 PM - Last Modified 01/21/23 03:50 AM


Symptom


  • GlobalProtect user on Mac is not able to get connected with the Portal via SAML authentication.
  • When connecting a "Server Certificate Error" pop's up regarding untrusted certificate asking to Continue
Server Certificate Error
  • Clicking Continue, the SAML authentication page on the browser appears and never finishes with the below error seen on GlobalProtect App.
Could not connect to the authentication server. Check your internet connection and try again. 
If the issue persists, contact your administrator.
Connection Failed
  • From the PanGPS.log:
P4189-T11783 02/09/2021 17:44:32:906 Debug(2558): gets saml user name SAMLUser.
P4189-T11783 02/09/2021 17:44:32:906 Debug(2570): saml-load-cache exists with value 2
P4189-T11783 02/09/2021 17:44:32:906 Debug(2582): saml-auth-error is Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.
  • From the PanGPA.log:
P4191-T775 02/09/2021 17:39:56:227 Debug( 54): PanSAMLDialog::windowDidLoad - unhide proc started.
P4191-T775 02/09/2021 17:44:32:357 Debug( 191): didFailLoadwithError - The operation couldn’t be completed. (NSURLErrorDomain error -999.)2021-02-09 17:44:32.475 GlobalProtect[4191:59143] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
P4191-T775 02/09/2021 17:44:32:476 Debug( 200): didFailProvisionalLoadWithError - An SSL error has occurred and a secure connection to the server cannot be made.

 

Environment


  • GlobalProtect App on MacOS
  • SAML Authentication Configured for Portal

Cause


The Root CA certificate configured for the GlobalProtect's Portal is not present on either the MacOS certificate Keychain or default browser (ex. Safari)

Resolution


  1. Manually import the Root CA that issued the GlobalProtect Portal certificate to the user MacOS Keychain or Safari Browser. 
  2. After importing the certificate, make sure the certificate is trusted. A red X mark on the certificate indicates it is not trusted and it has to be manually trusted in such cases as shown in the below link.
  3. As the step may vary across different versions of MacOS, Refer to the appropriate MacOS documentation.
   
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCspCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language