GlobalProtect fails to connect to the Portal, and error -2146892987 is seen in the PanGPS.logs

GlobalProtect fails to connect to the Portal, and error -2146892987 is seen in the PanGPS.logs

20223
Created On 05/30/22 09:03 AM - Last Modified 10/28/25 16:32 PM


Symptom


  • GlobalProtect fails to connect to the Portal
  • The client is looping between "Retrieving Configuration" and "Invalid Portal".
  • The following error is seen in PanGPS.log
'encrypt memory failed with error -2146892987'

Environment


  • GlobalProtect Portal
  • Microsoft Windows
  • All PAN-OS Versions
  • All GlobalProtect Versions

Cause


When GlobalProtect retrieves a Portal Configuration, for security purposes it is encrypted in memory and then written to disk.

These logs show that there was a failure to encrypt the config in memory, which prevented the config from being saved to file. 
(P8568-T15916)Error( 466): 05/06/22 16:41:19:014 encrypt memory failed with error -2146892987
(P8568-T15916)Error( 336): 05/06/22 16:41:19:019 pan_write_text_to_file(): failed to encrypt conent. File C:\Program Files\Palo Alto Networks\GlobalProtect\PanPortalCfgCriteria_67ea712124a1e4f24eae0bae8a.dat is not written.
(P8568-T15916)Error( 364): 05/06/22 16:41:19:019 Failed to save portal config criteria to file C:\Program Files\Palo Alto Networks\GlobalProtect\PanPortalCfgCriteria_67ea712124a1e4f24eae0bae8a.dat.

GlobalProtect uses the Microsoft Data Protection API to encrypt memory and data. This error was generated by the Windows DPAPI.

Resolution


Microsoft provide multiple resolutions depending on whether the end user has access to an RWDC or not.

Please see the Microsoft Documentation for details of the fixes.
DPAPI MasterKey backup failures - Windows Server | Microsoft Docs

Without access to an RWDC, the following registry key can be added to have the domain users on that machine use a local master key backup instead of a domain based backup.

Registry Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
Type: REG_DWORD
Name: ProtectionPolicy
Value: 1

A reboot required.

Note: Since the issue is related to domain users, running PanGPA with a local machine account can work around the issue.
 

Additional Information


When a domain user logs on to a computer for the first time and tries to encrypt data for the first time, the operating system must create a preferred DPAPI MasterKey, which is based on the user's current password. During the creation of the DPAPI MasterKey, An attempt is made to back up this master key by contacting an RWDC. If the backup fails, the MasterKey cannot be created.

This behaviour appears to be able to be triggered by Microsoft patches. In our case study, KB5012599 was identified as a possible trigger.

In remote working scenarios, end users typically do not have access to a read-write domain controller before connecting to GlobalProtect.

DPAPI MasterKey backup failures - Windows Server | Microsoft Docs 

Note: Communication with domain controllers is necessary to obtain the keys required for encrypting and decrypting the DPAPI files. In environments where GP enforcer is used, the machine might attempt to communicate with a domain controller that isn't included in the GP enforcement exceptions list.


Please ensure all DCS are added to the GP enforcement exception list to prevent this error.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYfkCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language