GlobalProtect users are presented with error messages such as “Authentication failed: empty password” or “Cloud Authentication Service single-sign-on failed"

• Users are attempting to establish a tunnel using GlobalProtect from domain-registered machines
• Users are not prompted to enter credentials for both the portal and gateway.
• This is despite having disabled the "Single Sign-On" (SSO) feature and configuring the "Save User Credentials" option to "no" in the portal agent configuration.
• Error message "Authentication failed: empty password" is seen on the GlobalProtect App.
• "Cloud Authentication Service single-sign-on failed." messages are seen in the Global Protect logs under the Monitor tab
• An empty password error can be observed in the Global Protect logs:

(P6108-T12400)Debug(3225): 04/05/23 11:57:14:152 Auth failed empty password for gateway gp.paloaltonetworks.com

• Palo Alto Firewalls
• PAN-OS 10.1 and above
• User identification via Cloud Identity Engine (CIE)
• Authentication with Cloud Authentication Service (CAS)
• Microsoft Azure as Identity Provider (IdP)
• Host machine added to the one or multiple domains

• This issue arises from the utilization of Microsoft Azure Single Sign-On (SSO) in conjunction with the inclusion of the Windows client in the domain.
• When authenticating with GlobalProtect using Cloud Authentication Service (CAS), the Security Assertion Markup Language (SAML) is employed, which triggers a redirection to Azure.
• However, as SSO is enabled in Azure, it attempts to leverage the credentials entered during the Windows system login process.
• Since this behavior falls outside the purview of the GlobalProtect application, disabling SSO in the portal configuration has no effect on this specific behavior.

1. Disable Single Sign On (SSO) on Microsoft Azure
2. Enable "Force Authentication" on Cloud Identity Engine under Authentication Types and "ForceAuthn" in the Microsoft Azure