macOS échoue à l’authentification à l’aide et SAML au navigateur intégré lorsque TLS_RSA_WITH_AES_256_CBC_SHA256 est utilisé
12681
Created On 09/15/22 03:42 AM - Last Modified 05/29/25 03:08 AM
Symptom
- Seuls les points de terminaison macOS échouent avec les erreurs suivantes dans GP les journaux de niveau vidage :
<PanGPS>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7270): prelogin to portal result is
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K</saml-request><region>US</region>
</prelogin-response>
P61363-T20231 06/29/2022 10:07:19:164 Debug(7311): REGION-PRIO, region code is US
P61363-T20231 06/29/2022 10:07:19:166 Dump ( 59): try root_lock
P61363-T20231 06/29/2022 10:07:19:166 Dump ( 64): root_lock uid:110215223, euid:0
P61363-T20231 06/29/2022 10:07:19:168 Dump ( 72): root_unlock uid:110215223, euid:0 has_lock:1
P61363-T20231 06/29/2022 10:07:19:168 Debug(13297): REGION-PRIO, save region code US
P61363-T20231 06/29/2022 10:07:19:168 Debug(7330): Portal's saml auth status 0
P61363-T20231 06/29/2022 10:07:19:168 Debug(7339): Portal's saml auth method POST
P61363-T20231 06/29/2022 10:07:19:168 Debug(7349): Portal's saml-request PGh0bWw+Cjxib2R5Pgo8Zm9ybSBpZD0ibXlmb3JtIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly9zc28uY29ycC5lYmF5LmNvbS9pZHAvU1NPLnNhbWwyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0FNTFJlcXVlc3QiIHZhbHVlPSJQSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkJjM05sY25ScGIyNURiMjV6ZFcxbGNsTmxjblpwWTJWVlVrdzlJbWgwZEhCek9pOHZZMkYwYVc5dUxXTnVMbU52Y25BdVpXSmhlUzVqYjIwNk5EUXpMMU5CVFV3eU1DOVRVQzlCUTFNaUlFUmxjM1JwYm1GMGFXOXVQU0pvZEhSd2N6b3ZMM056Ynk1amIzSndMbVZpWVhrdVkyOXRMMmxrY0M5VFUwOHVjMkZ0YkRJaUlFbEVQU0pmTmpNek1UQXlNMlJqWmpWaE1qSTJZVGsyWWpVellXUTJPVFkyTldRME5XRWlJRWx6YzNWbFNXNXpkR0Z1ZEQwaU1qQXlNaTB3TmkweU9WUXhOem93T0RveU1sb2lJRkJ5YjNSdlkyOXNRbWx1WkdsdVp6MGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Nk1pNHdPbUpwYm1ScGJtZHpPa2hVVkZBdFVFOVRWQ0lnVm1WeWMybHZiajBpTWk0d0lqNDhjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSSthSFIwY0hNNkx5OWpZWFJwYjI0dFkyNHVZMjl5Y0M1bFltRjVMbU52YlRvME5ETXZVMEZOVERJd0wxTlFQQzl6WVcxc09rbHpjM1ZsY2o0OEwzTmhiV3h3T2tGMWRHaHVVbVZ4ZFdWemREND0iIC8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlJlbGF5U3RhdGUiIHZhbHVlPSJGOVVQQUxrMmpXRTVOVFl6WXpsaFlXSTRaV1UzTnpCaU1EVm1Oak14WlRkbFlUWm1NVE16Tnc9PSIgLz4KPC9mb3JtPgo8c2NyaXB0PgogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdteWZvcm0nKS5zdWJtaXQoKTsKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPg0K
P61363-T20231 06/29/2022 10:07:19:168 Dump (7361): No prelogin-cookie.
P61363-T20231 06/29/2022 10:07:19:168 Dump (7371): No saml-chrome-sso-support.
P61363-T20231 06/29/2022 10:07:19:168 Debug(7378): Portal's saml default browser support = yes
P61363-T20231 06/29/2022 10:07:19:168 Debug(7389): Portal's saml request id 0
P61363-T20231 06/29/2022 10:07:19:169 Debug(7398): Portal authentication-message is Enter login credentials
P61363-T20231 06/29/2022 10:07:19:169 Debug(7414): autosubmit is false
P61363-T20231 06/29/2022 10:07:19:169 Dump (7430): m_bAuthApi is false
P61363-T20231 06/29/2022 10:07:19:169 Debug(9088): ----Portal Login starts----
P61363-T20231 06/29/2022 10:07:19:169 Dump (1353): Portal user auth cookie file name is /Users/[username]/Library/Application
[Lines omitted for brevity]
P61363-T20231 06/29/2022 10:08:01:796 Info ( 531): msgtype = gateway-credential-cancel
P61363-T20231 06/29/2022 10:08:01:796 Dump ( 540): Received following message from UI
<request><type>gateway-credential-cancel</type></request>
P61363-T20231 06/29/2022 10:08:01:796 Debug(3941): ServerThread: ProcessServerCancelGatewayLogin
P61363-T20231 06/29/2022 10:08:01:796 Debug(3957): Set cancel gateway login event.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1016): status is Disconnected
P61363-T35087 06/29/2022 10:08:01:796 Debug(11173): Got cancel gateway login event while waiting for challenge event for gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (1063): stats.b_connected is 0, GetBestGateway is NULL.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1832): On-Demand mode. Always sends external gateway list to PanGPA.
P61363-T20231 06/29/2022 10:08:01:796 Dump (1859): add external-gateway examplegateway.com
P61363-T20231 06/29/2022 10:08:01:796 Dump (5628): Add pre vpn connect error _
P61363-T35087 06/29/2022 10:08:01:796 Debug(11191): HandleGatewayChallenge returns 1
P61363-T35087 06/29/2022 10:08:01:796 Debug(3746): HandleGatewayChallenge returns TRUE. Gateway saml login issue
P61363-T35087 06/29/2022 10:08:01:796 Debug(3757): User canceled login to gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Info (2633): Failed to retrieve info for gateway examplegateway.com.
P61363-T35087 06/29/2022 10:08:01:796 Debug(2644): tunnel to examplegateway.com is not created
<PanGPA>
P61365-T6927 06/29/2022 10:07:19:197 Debug( 353): Receive gps message with type saml-pre-login.
P61365-T6927 06/29/2022 10:07:19:197 Debug( 276): message type from the service = saml-pre-login
[Lines omitted for brevity]
P61365-T259 06/29/2022 10:07:40:591 Debug( 795): needsToShowRetryView called
P61365-T259 06/29/2022 10:07:41:614 Debug( 795): needsToShowRetryView called
P61365-T6927 06/29/2022 10:07:41:658 Dump ( 513): select() time out.
P61365-T259 06/29/2022 10:07:41:953 Debug( 224): didFailProvisionalLoadWithError - An SSL error has occurred and a secure connection to the server cannot be made.
[Lines omitted for brevity]
P61365-T29455 06/29/2022 10:07:41:978 Debug(1342): Send command to Pan Service
P61365-T29455 06/29/2022 10:07:41:978 Debug(1359): Command = <request><type>portal</type><portal>exampleportal.com</portal><pid>61365</pid><user>[example username]</user><passwd>*</passwd><path>/Users/[username]/Library/Application Support/PaloAltoNetworks/GlobalProtect</path><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me><retrieve-cache-only>no</retrieve-cache-only><manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>[example username]</win-user><user-profile-type>0</user-profile-type><preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><saved-user>[example username]</saved-user><saved-passwd></saved-passwd><portal-2fa>no</portal-2fa><prelogin-cookie>0</prelogin-cookie><saml-username>[example username]</saml-username><saml-auth-status>0</saml-auth-status><saml-auth-error>Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.</saml-auth-error><saml-load-cache>2</saml-load-cache><use-ssl-tunnel>no</use-ssl-tunnel><gid>20</gid><domain></domain><default-browser>0</default-browser></request>
P61365-T29455 06/29/2022 10:07:41:978 Debug(1427): PanClient sent successful with 1216 bytes
P61365-T6927 06/29/2022 10:07:42:222 Dump ( 508): socket ready for read
P61365-T6927 06/29/2022 10:07:42:222 Debug( 121): Received data from Pan Service
P61365-T29455 06/29/2022 10:07:42:223 Debug(1342): Send command to Pan Service
P61365-T6927 06/29/2022 10:07:42:223 Debug(1794): HandleResponse(): failed to get network type from the service response.
P61365-T29455 06/29/2022 10:07:42:223 Debug(1370): Command = <request><type>troubleshooting-log</type><error>Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.</error><error-details>Could not connect to the authentication server. Check your internet connection and try again. If the issue persists, contact your administrator.</error-details></request>Environment
- Points de terminaison macOS
- GlobalProtect configuré pour utiliser le navigateur intégré plutôt que par défaut
Cause
- Apple soupçonne que cela est lié à la réutilisation du même TLS cache de session entre NSURLConnection et UIWebView
- La désactivation de l’utilisation de RSA peut entraîner des problèmes avec Apple ATS
Resolution
- Comme il s'agit d'une limitation macOS, la seule solution du côté de Palo Alto Networks est d'utiliser le paramètre de navigateur par défaut dans l GlobalProtect ' App onglet du portail
- Vous pouvez activer cette option en accédant à Network > > Portals > [Select Portal] > Agent > [Select Agent Config] > App > GlobalProtect et définissez la valeur « Use Default Browser for Authentication » sur « Yes » (Utiliser le navigateur par défaut pour l’authentification) sur « Yes » (Utiliser le navigateur par défaut pour l’authentification) sur « Yes » (Utiliser le navigateur par défaut pour SAML l’authentification) sur « Oui ».
Remarque : Vous trouverez la liste complète des étapes dans le document suivant