macOS falla la autenticación mediante el uso SAML y el navegador integrado cuando se usa TLS_RSA_WITH_AES_256_CBC_SHA256
14015
Created On 09/15/22 03:42 AM - Last Modified 05/29/25 03:08 AM
Symptom
- Solo los puntos de enlace de macOS fallan con los siguientes errores en los registros de nivel de GP volcado:
<PanGPS>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7270): prelogin to portal result is
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K</saml-request><region>US</region>
</prelogin-response>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7311): REGION-PRIO, region code is US
P61363-T20231 06/29/2022 10:07:19:166 Dump ( 59): try root_lock
P61363-T20231 06/29/2022 10:07:19:166 Dump ( 64): root_lock uid:110215223, euid:0
P61363-T20231 06/29/2022 10:07:19:168 Dump ( 72): root_unlock uid:110215223, euid:0 has_lock:1
P61363-T20231 06/29/2022 10:07:19:168 Debug(13297): REGION-PRIO, save region code US
P61363-T20231 06/29/2022 10:07:19:168 Debug(7330): Portal's saml auth status 0
P61363-T20231 06/29/2022 10:07:19:168 Debug(7339): Portal's saml auth method POST
P61363-T20231 06/29/2022 10:07:19:168 Debug(7349): Portal's saml-request PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K
P61363-T20231 06/29/2022 10:07:19:168 Dump (7361): No prelogin-cookie.
P61363-T20231 06/29/2022 10:07:19:168 Dump (7371): No saml-chrome-sso-support.
P61363-T20231 06/29/2022 10:07:19:168 Debug(7378): Portal's saml default browser support = yes
P61363-T20231 06/29/2022 10:07:19:168 Debug(7389): Portal's saml request id 0
P61363-T20231 06/29/2022 10:07:19:169 Debug(7398): Portal authentication-message is Enter login credentials
P61363-T20231 06/29/2022 10:07:19:169 Debug(7414): autosubmit is false
P61363-T20231 06/29/2022 10:07:19:169 Dump (7430): m_bAuthApi is false
P61363-T20231 06/29/2022 10:07:19:169 Debug(9088): ----Portal Login starts----
P61363-T20231 06/29/2022 10:07:19:169 Dump (1353): Portal user auth cookie file name is /Users/[username]/Library/Application
[Lines omitted for brevity]
P61363-T20231 06/29/2022 10:08:01:796 Info ( 531): msgtype = gateway-credential-cancel
P61363-T20231 06/29/2022 10:08:01:796 Dump ( 540): Received following message from UI
<request><type>gateway-credential-cancel</type></request>
P61363-T20231 06/29/2022 10:08:01:796 Debug(3941): ServerThread: ProcessServerCancelGatewayLogin
P61363-T20231 06/29/2022 10:08:01:796 Debug(3957): Set cancel gateway login event.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1016): status is Disconnected
P61363-T35087 06/29/2022 10:08:01:796 Debug(11173): Got cancel gateway login event while waiting for challenge event for gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (1063): stats.b_connected is 0, GetBestGateway is NULL.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1832): On-Demand mode. Always sends external gateway list to PanGPA.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1859): add external-gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (5628): Add pre vpn connect error _
P61363-T35087 06/29/2022 10:08:01:796 Debug(11191): HandleGatewayChallenge returns 1
P61363-T35087 06/29/2022 10:08:01:796 Debug(3746): HandleGatewayChallenge returns TRUE. Gateway saml login issue
P61363-T35087 06/29/2022 10:08:01:796 Debug(3757): User canceled login to gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Info (2633): Failed to retrieve info for gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Debug(2644): tunnel to examplegateway.com is not created
<PanGPA>
P61365-T6927 06/29/2022 10:07:19:197 Debug( 353): Receive gps message with type saml-pre-login.
P61365-T6927 06/29/2022 10:07:19:197 Debug( 276): message type from the service = saml-pre-login
[Lines omitted for brevity]
P61365-T259 06/29/2022 10:07:40:591 Debug( 795): needsToShowRetryView called
P61365-T259 06/29/2022 10:07:41:614 Debug( 795): needsToShowRetryView called
P61365-T6927 06/29/2022 10:07:41:658 Dump ( 513): select() time out.
P61365-T259 06/29/2022 10:07:41:953 Debug( 224): didFailProvisionalLoadWithError - An SSL error has occurred and a secure connection to the server cannot be made.
[Lines omitted for brevity]
P61365-T29455 06/29/2022 10:07:41:978 Debug(1342): Send command to Pan Service
P61365-T29455 06/29/2022 10:07:41:978 Debug(1359): Command = <request><type>portal</type><portal>exampleportal.com</portal><pid>61365</pid><user>[example username]</user><passwd>*</passwd><path>/Users/[username]/Library/Application Support/PaloAltoNetworks/GlobalProtect</path><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>[example username]</win-user><user-profile-type>0</user-profile-type><preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><saved-user>[example username]</saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><prelogin-cookie>0</prelogin-cookie><saml-username>[example username]</saml-username><saml-auth-status>0</saml-auth-status><saml-auth-error>Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.</saml-auth-error><saml-load-cache>2</saml-load-cache><use-ssl-tunnel>no</use-ssl-tunnel><gid>20</gid><domain></domain><default-browser>0</default-browser></request>
P61365-T29455 06/29/2022 10:07:41:978 Debug(1427): PanClient sent successful with 1216 bytes
P61365-T6927 06/29/2022 10:07:42:222 Dump ( 508): socket ready for read
P61365-T6927 06/29/2022 10:07:42:222 Debug( 121): Received data from Pan Service
P61365-T29455 06/29/2022 10:07:42:223 Debug(1342): Send command to Pan Service
P61365-T6927 06/29/2022 10:07:42:223 Debug(1794): HandleResponse(): failed to get network type from the service response.
P61365-T29455 06/29/2022 10:07:42:223 Debug(1370): Command = <request><type>troubleshooting-log</type><error>Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.</error><error-details>Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.</error-details></request>Environment
- Puntos de conexión de macOS
- GlobalProtect configurado para usar el explorador incrustado en lugar del predeterminado
Cause
- Apple sospecha que esto está relacionado con la reutilización de la misma TLS caché de sesión entre NSURLConnection y UIWebView
- Deshabilitar el uso de RSA por completo puede provocar problemas con Apple ATS
Resolution
- Dado que esta es una limitación de macOS, la única resolución del lado de Palo Alto Networks es usar la configuración predeterminada del navegador dentro de la GlobalProtect pestaña del App Portal
- Puede habilitar esto navegando a Network > > Portals > [Seleccionar portal] > Agent > [Select Agent Config] > > GlobalProtect App y establezca el valor "Usar navegador predeterminado para SAML autenticación" en "Sí"
Nota: Puede encontrar la lista completa de pasos en el siguiente documento