Authentication policy with MFA not working for RDP over GlobalProtect connection
5554
Created On 10/05/22 05:00 AM - Last Modified 01/28/25 21:44 PM
Symptom
- RDP fails with the error "An internal error has occurred."
- PAN_GPS logs
CPanMSService::MFAuthHandleMsg: received optType=3, optLength=62, optVal=0x68 CPanMSService::MFAuthHandleMsg: received url=http://10.16.0.1:6080/php/browser_challenge.php?vsys=1&rule=0 CPanMSService::MFAuthHandleMsg: host name =10.16.0.1:6080 CPanMSService::IsHostInTrustedList() host = 10.16.0.1:6080 is not in trusted host list! CPanMSService::MFAuthHandleMsg: The host (10.16.0.1:6080) is not in the trusted host list. - In the firewall, we could see the session end reason as "auth-policy-deny" for the application "cotp"
Environment
- GlobalProtect
- PAN-OS
Cause
- The authentication failed as the redirect host was not configured in the trusted MFA host list
Resolution
- Navigate to Network > GlobalProtect > Portals > select the configured portal > Agent > select the App > and change the following App Configurations parameters
- In the Trusted MFA Gateways field add the redirected host IP address and port which was found in PANGPS logs
Additional Information
- Check the PAN-GPS logs to know the exact redirect host IP address
- Note: Check if the windows defender firewall is blocking the MFA prompt by disabling the windows defender firewall.
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/configure-globalprotect-to-facilitate-multi-factor-authentication-notifications
- GlobalProtect: Authentication Policy with MFA https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-authentication-policy-with-mfa/ta-p/322236