GlobalProtect users are presented with error messages such as “Authentication failed: empty password” or “Cloud Authentication Service single-sign-on failed"
16538
Created On 05/15/23 15:05 PM - Last Modified 09/22/23 22:06 PM
Symptom
- Users are attempting to establish a tunnel using GlobalProtect from domain-registered machines
- Users are not prompted to enter credentials for both the portal and gateway.
- This is despite having disabled the "Single Sign-On" (SSO) feature and configuring the "Save User Credentials" option to "no" in the portal agent configuration.
- Error message "Authentication failed: empty password" is seen on the GlobalProtect App.
- "Cloud Authentication Service single-sign-on failed." messages are seen in the Global Protect logs under the Monitor tab
- An empty password error can be observed in the Global Protect logs:
(P6108-T12400)Debug(3225): 04/05/23 11:57:14:152 Auth failed empty password for gateway gp.paloaltonetworks.com
Environment
- Palo Alto Firewalls
- PAN-OS 10.1 and above
- User identification via Cloud Identity Engine (CIE)
- Authentication with Cloud Authentication Service (CAS)
- Microsoft Azure as Identity Provider (IdP)
- Host machine added to the one or multiple domains
Cause
- This issue arises from the utilization of Microsoft Azure Single Sign-On (SSO) in conjunction with the inclusion of the Windows client in the domain.
- When authenticating with GlobalProtect using Cloud Authentication Service (CAS), the Security Assertion Markup Language (SAML) is employed, which triggers a redirection to Azure.
- However, as SSO is enabled in Azure, it attempts to leverage the credentials entered during the Windows system login process.
- Since this behavior falls outside the purview of the GlobalProtect application, disabling SSO in the portal configuration has no effect on this specific behavior.
Resolution
There are two approaches to resolve this issue:
- Disable Single Sign On (SSO) on Microsoft Azure
- Enable "Force Authentication" on Cloud Identity Engine under Authentication Types and "ForceAuthn" in the Microsoft Azure
Additional Information
More information regarding Microsoft SSO can be found under this link.