GlobalProtect App connection fails message requesting a valid client certificate when the client certificate exist

• GlobalProtect with certificate profile authentication
• Connecting to multiple GP Portal with different Extended Key Usage OID for Client Certificate values

• Connecting to a GP Portal that uses client certification authentication, it is using the value from a previous connection stored in registry
• GP Portal config authentication profile, using only certificate profile

• Agent config has configured the default value in Extended Key Usage OID for Client Certificate

• GlobalProtect connection fails with the error message "A valid client certificate is required for authentication. If the issue persists, contact your administrator."

• In GP App logs, it shows using the oid from the last connected GP Portal
• (P3784-T5304)Debug(3203): 01/29/25 04:32:05:244 REQID=73,IPADDR=gp-portal1.pantac.lab,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=1,ADDITIONAL_CHECK=1,SCEP_CERT=,oid=1.3.6.1.4.1.311.20.2.2
• This is because agent configs are stored in global settings and not per portal

1. Stop PanGPS service

2. Open Registry Editor and browse to HKLM\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

3. Delete the ext-key-usage-oid-for-client-cert value

4. Start GP App and connect again to the intended GP Portal