macOS schlägt bei der Authentifizierung mit SAML und eingebettetem Browser fehl, wenn TLS_RSA_WITH_AES_256_CBC_SHA256 verwendet wird

macOS schlägt bei der Authentifizierung mit SAML und eingebettetem Browser fehl, wenn TLS_RSA_WITH_AES_256_CBC_SHA256 verwendet wird

13979
Created On 09/15/22 03:42 AM - Last Modified 05/29/25 03:08 AM


Symptom


  • Nur macOS-Endpunkte, die mit den folgenden Fehlern in GP Dump-Level-Protokollen fehlschlagen:
<PanGPS>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7270): prelogin to portal result is 
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K</saml-request><region>US</region>
</prelogin-response>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7311): REGION-PRIO, region code is US
P61363-T20231 06/29/2022 10:07:19:166 Dump (  59): try root_lock
P61363-T20231 06/29/2022 10:07:19:166 Dump (  64): root_lock uid:110215223, euid:0
P61363-T20231 06/29/2022 10:07:19:168 Dump (  72): root_unlock uid:110215223, euid:0 has_lock:1
P61363-T20231 06/29/2022 10:07:19:168 Debug(13297): REGION-PRIO, save region code US
P61363-T20231 06/29/2022 10:07:19:168 Debug(7330): Portal's saml auth status 0
P61363-T20231 06/29/2022 10:07:19:168 Debug(7339): Portal's saml auth method POST
P61363-T20231 06/29/2022 10:07:19:168 Debug(7349): Portal's saml-request PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K
P61363-T20231 06/29/2022 10:07:19:168 Dump (7361): No prelogin-cookie.
P61363-T20231 06/29/2022 10:07:19:168 Dump (7371): No saml-chrome-sso-support.
P61363-T20231 06/29/2022 10:07:19:168 Debug(7378): Portal's saml default browser support = yes
P61363-T20231 06/29/2022 10:07:19:168 Debug(7389): Portal's saml request id 0
P61363-T20231 06/29/2022 10:07:19:169 Debug(7398): Portal authentication-message is Enter login credentials
P61363-T20231 06/29/2022 10:07:19:169 Debug(7414): autosubmit is false
P61363-T20231 06/29/2022 10:07:19:169 Dump (7430): m_bAuthApi is false
P61363-T20231 06/29/2022 10:07:19:169 Debug(9088): ----Portal Login starts----
P61363-T20231 06/29/2022 10:07:19:169 Dump (1353): Portal user auth cookie file name is /Users/[username]/Library/Application
[Lines omitted for brevity]
P61363-T20231 06/29/2022 10:08:01:796 Info ( 531): msgtype = gateway-credential-cancel
P61363-T20231 06/29/2022 10:08:01:796 Dump ( 540): Received following message from UI
<request><type>gateway-credential-cancel</type></request>
P61363-T20231 06/29/2022 10:08:01:796 Debug(3941): ServerThread: ProcessServerCancelGatewayLogin
P61363-T20231 06/29/2022 10:08:01:796 Debug(3957): Set cancel gateway login event.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1016): status is Disconnected
P61363-T35087 06/29/2022 10:08:01:796 Debug(11173): Got cancel gateway login event while waiting for challenge event for gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (1063): stats.b_connected is 0, GetBestGateway is NULL. 
P61363-T20231 06/29/2022 10:08:01:796 Dump (1832): On-Demand mode. Always sends external gateway list to PanGPA.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1859): add external-gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (5628): Add pre vpn connect error _
P61363-T35087 06/29/2022 10:08:01:796 Debug(11191): HandleGatewayChallenge returns 1
P61363-T35087 06/29/2022 10:08:01:796 Debug(3746): HandleGatewayChallenge returns TRUE. Gateway saml login issue
P61363-T35087 06/29/2022 10:08:01:796 Debug(3757): User canceled login to gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Info (2633): Failed to retrieve info for gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Debug(2644): tunnel to examplegateway.com is not created
<PanGPA>
P61365-T6927  06/29/2022 10:07:19:197 Debug( 353): Receive gps message with type saml-pre-login.
P61365-T6927  06/29/2022 10:07:19:197 Debug( 276): message type from the service = saml-pre-login 
[Lines omitted for brevity]
P61365-T259   06/29/2022 10:07:40:591 Debug( 795): needsToShowRetryView called 
P61365-T259   06/29/2022 10:07:41:614 Debug( 795): needsToShowRetryView called 
P61365-T6927  06/29/2022 10:07:41:658 Dump ( 513): select() time out.
P61365-T259   06/29/2022 10:07:41:953 Debug( 224): didFailProvisionalLoadWithError - An SSL error has occurred and a secure connection to the server cannot be made. 
[Lines omitted for brevity]
P61365-T29455 06/29/2022 10:07:41:978 Debug(1342): Send command to Pan Service
P61365-T29455 06/29/2022 10:07:41:978 Debug(1359): Command = <request><type>portal</type><portal>exampleportal.com</portal><pid>61365</pid><user>[example username]</user><passwd>*</passwd><path>/Users/[username]/Library/Application Support/PaloAltoNetworks/GlobalProtect</path><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>[example username]</win-user><user-profile-type>0</user-profile-type><preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><saved-user>[example username]</saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><prelogin-cookie>0</prelogin-cookie><saml-username>[example username]</saml-username><saml-auth-status>0</saml-auth-status><saml-auth-error>Could not connect to the authentication server.  Check your internet connection and try again. If the issue persists, contact your administrator.</saml-auth-error><saml-load-cache>2</saml-load-cache><use-ssl-tunnel>no</use-ssl-tunnel><gid>20</gid><domain></domain><default-browser>0</default-browser></request>
P61365-T29455 06/29/2022 10:07:41:978 Debug(1427): PanClient sent successful with 1216 bytes
P61365-T6927  06/29/2022 10:07:42:222 Dump ( 508): socket ready for read
P61365-T6927  06/29/2022 10:07:42:222 Debug( 121): Received data from Pan Service
P61365-T29455 06/29/2022 10:07:42:223 Debug(1342): Send command to Pan Service
P61365-T6927  06/29/2022 10:07:42:223 Debug(1794): HandleResponse(): failed to get network type from the service response.
P61365-T29455 06/29/2022 10:07:42:223 Debug(1370): Command = <request><type>troubleshooting-log</type><error>Could not connect to the authentication server.  Check your internet connection and try again. If the issue persists, contact your administrator.</error><error-details>Could not connect to the authentication server.  Check your internet connection and try again. If the issue persists, contact your administrator.</error-details></request>


 

Environment


  • macOS-Endpunkte
  •  GlobalProtect Konfiguriert für die Verwendung des eingebetteten Browsers anstelle des Standardbrowsers

Cause


  • Apple vermutet, dass dies mit der Wiederverwendung desselben TLS Sitzungscaches zwischen NSURLConnection und UIWebView zusammenhängt
  • Das vollständige Deaktivieren der Verwendung von RSA kann zu Problemen mit Apple ATS  führen

Resolution


  1. Da es sich um eine macOS-Einschränkung handelt, besteht die einzige Lösung von Palo Alto Networks darin, die Standardbrowsereinstellung auf der Registerkarte des GlobalProtect Portals App zu verwenden
  2. Sie können dies aktivieren, indem Sie zu Netzwerk-> >- Portalen navigieren > [Portal auswählen] > Agent > [Agentenkonfiguration auswählen] > > GlobalProtect App und den Wert "Standardbrowser für SAML Authentifizierung verwenden" auf "Ja" setzen
Hinweis: Die vollständige Liste der Schritte finden Sie im folgenden Dokument

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ7PCAU&lang=de&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language