User is prompted for authentication to GP Portal or Gateway even when User Authentication Override Cookie is valid
5307
Created On 03/28/23 08:11 AM - Last Modified 03/12/24 19:43 PM
Symptom
- User Authentication Override Cookie has been previously received and is valid (within accepted lifetime).
- User is still prompted to perform authentication to GP Portal or Gateway.
Environment
- Palo Alto Firewalls
- GlobalProtect
- PAN-OS versions 10.1 and earlier.
- Generate cookie not set on either Portal or Gateway
Cause
General cookie operation:
- Client would send a non-empty user authentication override cookie (if it exists) matching a specific Portal name & Username for all authentication requests.
- It is on the Server side (Portal or Gateway) to decide whether to accept or ignore the cookie.
- The server side returns (reflects) the cookie back to the client regardless if it is accepted or not and the same value is written back on the cookie file of the client side.
- Server can return a newly generated cookie if "regular" authentication (based on Authentication Profile) has been performed and generate cookie option is set to yes.
Under certain circumstances (below) Server side can clear/empty existing user authentication override cookie on the client side.
PAN-OS 10.1 and earlier
- Accept Cookie is set + Generate Cookie is not set, but cookie has expired or there is a Host-Id mismatch or Source IP mismatch (Gateway-only, depending on "Restrict Authentication Cookie Usage" settings).
- (Portal Only) Accept cookie is not set + Generate Cookie is not set.
- Accept Cookie is set + Generate Cookie is not set, for initial configuration match (based on username only, no domain), but subsequent configuration lookup using username and potentially domain extracted from the cookie matches the configuration where Accept Cookie is not set + Generate Cookie is not set.
PAN-OS 10.2 and above
Server side (Portal/Gateway) will only reflect or generate user authentication override cookie, depending on the configuration. It will not clear/empty the existing authentication override cookie.
This way we can have the following scenarios accomplished:
- Portal and Gateway have different (independent) cookie validation settings (Example: Portal authentication is always performed - there is no usage of user authentication override cookies, while Gateway only generates and accepts cookies; In 10.1 or below, Portal would clear out gateway issued valid cookie)
- Portal and Gateway have different cookie lifetimes (In 10.1 and below, Gateway may clear out the cookie if it's expired from its perspective, while the same could still be valid on the Portal if portal has longer accept lifetime configured).
Resolution
Depending on specific scenarios,
- Upgrade to 10.2 and above OR
- Check generate cookie setting on both Portal and Gateway to avoid it being cleared/emptied.