GlobalProtect App unable to access client certificate on Android when the phone is locked

GlobalProtect App unable to access client certificate on Android when the phone is locked

5388
Created On 07/19/22 12:28 PM - Last Modified 08/01/24 20:51 PM


Symptom


  • GlobalProtect App is unable to connect to the Portal/Gateway if client certificate authentication is required and the phone/screen is locked at the connection time. 
  • GP Client logs display the following logs.
:440596 - PanKeyManager: getPrivateKey for alias: User 4911aa55-0aa1-4cc1-9669-12344456d789
:520492 - PanKeyManager: key is not found for alias: User 4911aa55-0aa1-4cc1-9669-12344456d789

  • SamsungKnow logs display

keystore: !@ LockedByCCM"
W System.err: java.security.UnrecoverableKeyException: Failed to obtain information about key


Environment


  • GlobalProtect App for Android
  • Certificates deployed via MDM. 
Note: The issue is more likely to occur with always-on connection as re-establishment can be triggered by the app itself).

Cause


GP is unable to access the certificate's private key which is needed for the authentication process, as the access is blocked by CCM (Client Certificate Management).

Resolution


  1. Exempt "com.paloaltonetworks.globalprotect" from CCM (Client Certificate Management) policies on MDM (Mobile Device Management).
  2. This will allow GP to access the certificate's private key and connect without the phone being unlocked.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wl20CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language