macOS Fails Authentication Using SAML and Embedded Browser when TLS_RSA_WITH_AES_256_CBC_SHA256 is used

•  Only macOS endpoints failing with the following errors in GP dump level logs:

<PanGPS>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7270): prelogin to portal result is 
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K</saml-request><region>US</region>
</prelogin-response>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7311): REGION-PRIO, region code is US
P61363-T20231 06/29/2022 10:07:19:166 Dump (  59): try root_lock
P61363-T20231 06/29/2022 10:07:19:166 Dump (  64): root_lock uid:110215223, euid:0
P61363-T20231 06/29/2022 10:07:19:168 Dump (  72): root_unlock uid:110215223, euid:0 has_lock:1
P61363-T20231 06/29/2022 10:07:19:168 Debug(13297): REGION-PRIO, save region code US
P61363-T20231 06/29/2022 10:07:19:168 Debug(7330): Portal's saml auth status 0
P61363-T20231 06/29/2022 10:07:19:168 Debug(7339): Portal's saml auth method POST
P61363-T20231 06/29/2022 10:07:19:168 Debug(7349): Portal's saml-request PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K
P61363-T20231 06/29/2022 10:07:19:168 Dump (7361): No prelogin-cookie.
P61363-T20231 06/29/2022 10:07:19:168 Dump (7371): No saml-chrome-sso-support.
P61363-T20231 06/29/2022 10:07:19:168 Debug(7378): Portal's saml default browser support = yes
P61363-T20231 06/29/2022 10:07:19:168 Debug(7389): Portal's saml request id 0
P61363-T20231 06/29/2022 10:07:19:169 Debug(7398): Portal authentication-message is Enter login credentials
P61363-T20231 06/29/2022 10:07:19:169 Debug(7414): autosubmit is false
P61363-T20231 06/29/2022 10:07:19:169 Dump (7430): m_bAuthApi is false
P61363-T20231 06/29/2022 10:07:19:169 Debug(9088): ----Portal Login starts----
P61363-T20231 06/29/2022 10:07:19:169 Dump (1353): Portal user auth cookie file name is /Users/[username]/Library/Application
[Lines omitted for brevity]
P61363-T20231 06/29/2022 10:08:01:796 Info ( 531): msgtype = gateway-credential-cancel
P61363-T20231 06/29/2022 10:08:01:796 Dump ( 540): Received following message from UI
<request><type>gateway-credential-cancel</type></request>
P61363-T20231 06/29/2022 10:08:01:796 Debug(3941): ServerThread: ProcessServerCancelGatewayLogin
P61363-T20231 06/29/2022 10:08:01:796 Debug(3957): Set cancel gateway login event.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1016): status is Disconnected
P61363-T35087 06/29/2022 10:08:01:796 Debug(11173): Got cancel gateway login event while waiting for challenge event for gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (1063): stats.b_connected is 0, GetBestGateway is NULL. 
P61363-T20231 06/29/2022 10:08:01:796 Dump (1832): On-Demand mode. Always sends external gateway list to PanGPA.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1859): add external-gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (5628): Add pre vpn connect error _
P61363-T35087 06/29/2022 10:08:01:796 Debug(11191): HandleGatewayChallenge returns 1
P61363-T35087 06/29/2022 10:08:01:796 Debug(3746): HandleGatewayChallenge returns TRUE. Gateway saml login issue
P61363-T35087 06/29/2022 10:08:01:796 Debug(3757): User canceled login to gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Info (2633): Failed to retrieve info for gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Debug(2644): tunnel to examplegateway.com is not created

<PanGPA>
P61365-T6927  06/29/2022 10:07:19:197 Debug( 353): Receive gps message with type saml-pre-login.
P61365-T6927  06/29/2022 10:07:19:197 Debug( 276): message type from the service = saml-pre-login 
[Lines omitted for brevity]
P61365-T259   06/29/2022 10:07:40:591 Debug( 795): needsToShowRetryView called 
P61365-T259   06/29/2022 10:07:41:614 Debug( 795): needsToShowRetryView called 
P61365-T6927  06/29/2022 10:07:41:658 Dump ( 513): select() time out.
P61365-T259   06/29/2022 10:07:41:953 Debug( 224): didFailProvisionalLoadWithError - An SSL error has occurred and a secure connection to the server cannot be made. 
[Lines omitted for brevity]
P61365-T29455 06/29/2022 10:07:41:978 Debug(1342): Send command to Pan Service
P61365-T29455 06/29/2022 10:07:41:978 Debug(1359): Command = <request><type>portal</type><portal>exampleportal.com</portal><pid>61365</pid><user>[example username]</user><passwd>*</passwd><path>/Users/[username]/Library/Application Support/PaloAltoNetworks/GlobalProtect</path><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>[example username]</win-user><user-profile-type>0</user-profile-type><preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><saved-user>[example username]</saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><prelogin-cookie>0</prelogin-cookie><saml-username>[example username]</saml-username><saml-auth-status>0</saml-auth-status><saml-auth-error>Could not connect to the authentication server.  Check your internet connection and try again. If the issue persists, contact your administrator.</saml-auth-error><saml-load-cache>2</saml-load-cache><use-ssl-tunnel>no</use-ssl-tunnel><gid>20</gid><domain></domain><default-browser>0</default-browser></request>
P61365-T29455 06/29/2022 10:07:41:978 Debug(1427): PanClient sent successful with 1216 bytes
P61365-T6927  06/29/2022 10:07:42:222 Dump ( 508): socket ready for read
P61365-T6927  06/29/2022 10:07:42:222 Debug( 121): Received data from Pan Service
P61365-T29455 06/29/2022 10:07:42:223 Debug(1342): Send command to Pan Service
P61365-T6927  06/29/2022 10:07:42:223 Debug(1794): HandleResponse(): failed to get network type from the service response.
P61365-T29455 06/29/2022 10:07:42:223 Debug(1370): Command = <request><type>troubleshooting-log</type><error>Could not connect to the authentication server.  Check your internet connection and try again. If the issue persists, contact your administrator.</error><error-details>Could not connect to the authentication server.  Check your internet connection and try again. If the issue persists, contact your administrator.</error-details></request>

•  macOS endpoints 
•  GlobalProtect configured to use embedded browser rather than default

•  Apple suspects this is related to the reuse of the same TLS session cache between NSURLConnection and UIWebView
•  Disabling the use of RSA altogether may result in issues with Apple ATS 

1.  Since this is a macOS limitation, the only resolution from Palo Alto Networks side is to use the default browser setting within the GlobalProtect Portal's App tab 
2.  You can enable this by navigating to Network > GlobalProtect > Portals > [Select Portal] > Agent > [Select Agent Config] > App > and set the "Use Default Browser for SAML Authentication" value to "Yes"

•  Use the Default System Browser for SAML Authentication