Portal connectivity fails with error: "Cached portal configuration is tampered" when multiple users share Windows with same GlobalProtect username

Portal connectivity fails with error: "Cached portal configuration is tampered" when multiple users share Windows with same GlobalProtect username

1784
Created On 02/01/23 14:38 PM - Last Modified 07/08/25 01:20 AM


Symptom


  • GlobalProtect connection fails when switching the user by logging out and logging in to Windows with another user account.
  • Both Windows users connect to GlobalProtect using the same GlobalProtect user name.
  • When checking PanGPA.log, the connection to the portal is disconnected because 'Cached portal configuration is tampered.'.
17:25:18:770 Cached portal configuration is tampered. 
17:25:18:770 Setting debug level to 5
17:25:18:770 Failed to get portal config from portal xxxxx.gpcloudservice.com.
17:25:18:770 Try to restore last portal config from file.
17:25:18:770 pan_read_text_from_file(): File does not exist. File: C:\Users\yyyyyyyy\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_zzzzzzzzzzzzz.dat
(P5480-T8720)Debug(8550): 
17:25:18:770 cannot restore last portal config from file C:\Users\yyyyyyyy\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_zzzzzzzzzzzzz.dat.
17:25:18:770 portal status is Invalid portal.. 
17:25:18:770 --Set state to Disconnected


Environment


  • GlobalProtect (GP) App
  • Version less than 6.1.2 and 
  • Windows login using fingerprint

Cause


  • It is an invalid use case in which two Windows users use the same Windows machine and GlobalProtect user name.
  • GlobalProtect app remembers the fingerprint of the cached portal config for each GlobalProtect user name.
  • In this case, two Windows users use the same Windows machine and use the same GP user name.
  • So the fingerprint of one user's cached portal config is used to verify another user's cached portal config.
  • Hence the verification fails, and GP treats the cached portal config as tampered with.
  • Example: When authenticating the users with a client certificate, create the client certificate for each Windows user with a different username either in Common Name in subject field or email/principal name in SAN field.

Resolution


  1. We implemented the code change in GPC-16135 in GlobalProtect App version 6.1.2 and 5.2.13, which mitigate the disconnection issue.
  2. As a workaround, windows users can use their own GlobalProtect username on the same machine when fingerprint is used for Windows login.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGlBCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail