GlobalProtect portal authentication failure "You are not authorized to connect to GP Portal" even if domain is correctly added to authentication profile

12023

Created On 11/21/22 09:46 AM - Last Modified 07/02/24 13:28 PM

GlobalProtect Agent

GlobalProtect Portal

VPNs

6.2

6.1

6.0

5.6

GlobalProtect

PAN-OS

Symptom

Scenario where the authentication server expects authentication using format domain\username and we only enter username when authenticating using Global Protect application.
Config selection criteria has been configured based on user group.

In this scenario, authentication profile is configured to add domain to %USERINPUT% value by setting %USERDOMAIN%\%USERINPUT%.

Under system logs, the configuration profile is not matching and connection is rejected with below error.

Global Protect portal configured to match "Config Selection Criteria" using LDAP user and user groups.

This issue can happen depending of the configuration in the affected portal for Authentication --> check 'Allow Authentication with User Credentials or Client Certificate' settings.

It is possible to check above configuration by going to the affected portal under Network - Global Protect - Portals -- Affected Portal. Once we click in the portal, we need to go to Authentication tab and review the settings for mentioned 'Allow Authentication with User Credentials or Client Certificate'.
If configured as Yes, it means both are optional.
However, if set to Yes and a certificate profile is selected the client certificate will be verified by PANOS, therefore authentication profile is skipped (certificate profile is used) and domain is not added to the login request.

Modify the settings for 'Allow Authentication with User Credentials or Client Certificate' as per below guidelines:

Set it to No, so both authentications happen and thus domain is added to the login request. Therefore config is now properly matched.
If set to Yes, add domain under certificate profile configuration.

Other option if set to Yes is to remove the certificate profile from portal authentication configuration, so authentication profile will be used and the domain information will be added to the login request.