Tips & Tricks: Single Sign-on (SSO) for GlobalProtect
Single Sign-On (SSO) for GlobalProtect
GlobalProtect SSO on Windows allows GlobalProtect agents to use Windows login credentials to authenticate with the GlobalProtect portal and gateway. GlobalProtect uses Microsoft's credential provider framework to collect the user’s login credentials during the Windows login and transparently authenticate the user to the GlobalProtect portal and gateway.
This document describes how the Windows user login experience has changed between Window 7 and Windows 8, 10 and the impact it has on GlobalProtect SSO. This document also describes scenarios that may affect GlobalProtect SSO on Windows. For example, there can be other third-party credential providers on a Windows computer that might interfere and break GlobalProtect SSO. We include tips on how you can get GlobalProtect SSO to work as expected and provide the best login experience for users.
GlobalProtect SSO on Windows 7 and Windows Vista
If GlobalProtect is the only credential provider on a Windows 7 computer, users will not notice any change in their Windows login screen and GlobalProtect SSO works automatically.
However, if the computer has multiple credential providers, then the login screen typically shows multiple login tiles for the same user, one tile for each credential provider. Or, the login screen may show only one login tile for the user, but selecting Switch User may show additional login tiles for that same user.
The screenshot below shows the login screen from a Windows 7 computer that has GlobalProtect and another credential provider.
Figure 1: Multiple Login Tiles
When the user logs in to this Windows computer using the tile that corresponds to 3rd party credential provider GlobalProtect SSO would fail.
For GlobalProtect SSO to work on this Windows 7 computer, users have to select the GlobalProtect login tile first, then login to Windows. However, users may not easily identify the GlobalProtect tile.
There are 2 options to solve this problem.
- One option is to identify the 3rd party credential provider that’s interfering with GlobalProtect SSO and evaluate the need for that. If it is not a required software then you can get rid of the 3rd party credential provider.
- If you can’t get rid of it then you can use SSO wrapping for third-party credentials provided by GlobalProtect. With SSO wrapping, the GlobalProtect credential provider does not list itself as a separate login tile. Instead, it wraps around the other third-party credential provider on the computer. This allows both GlobalProtect SSO and the other third-party software to continue to function properly. For more information, see Deploy Agent Settings to Windows Clients. Refer to the “Enable SSO Wrapping for Third-Party Credentials” section of this topic.
This document describes how you can use registry settings or MSI parameters to perform SSO wrapping.
When you set up SSO wrapping, you may have trouble identifying which third-party credential provider on the computer is interfering with GlobalProtect SSO. Typically, this interference comes from password management software (such as CA Identity Manager and ReACT). To find all the credential providers on the system, check this registry path:
SSO wrapping may still not have the desired effect in some cases. For example, if Symantec Disk Encryption Credential Provider is installed. In these cases, there is no fix or work-around for getting GlobalProtect SSO to work using the credential providers. The alternative is to use Kerberos authentication support in GlobalProtect 3.1 or later. For more information, see Kerberos for Internal Gateway for Windows.
Note: Kerberos authentication support for GlobalProtect is only available on Windows and can only work as long as the Kerberos Key Distribution Center (KDC) is reachable from the endpoint.
GlobalProtect SSO on Windows 8 and Windows 10
As described in the previous section, a Windows 7 or Windows Visa computer with multiple credential providers can display multiple login tiles with the same user name. Because this is confusing (one person with their name on multiple login tiles), Microsoft made changes for Windows 8 and Windows 10. Now, even if there are multiple credential providers on the Windows computer, there is just one login tile for every unique user on the system. Once a user tile is selected, if a user has multiple credential providers associated with their account, the last-used provider appears.
Figure 2: Windows 8 Login Screen
In addition, a Sign-in options link appears. Activating this link shows all the credential providers associated with the user’s account. Based on the icons shown, a user can choose which credential provider to use to log in.
Figure 3: Sign-In Options
Because of this change introduced by Microsoft, to enable GlobalProtect SSO to work users should select Sign-in-options and pick the GlobalProtect icon and log in.
The GlobalProtect login selection is remembered and GlobalProtect SSO will continue work until the user selects another credential provider from the Sign-in options.
If there are other third-party credential providers on the computer, SSO wrapping has no effect on computers running Windows 8 and Windows 10. Users must set and keep GlobalProtect as the default sign-in option.
By default, the GlobalProtect agent tries to be the selected (default) credential provider so users are not required to manually change over. However, if GlobalProtect is not the selected (default) credential provider, you can try to force GlobalProtect to be the default by following one of these 2 options:
- Modifying the value of this registry HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\SetGPCPDefault to 1. or
- Disabling or excluding other credential providers in the computer.
You could use Microsoft’s Group Policy for System Logon or Registries for CredentialProviders to exclude or disable other credential providers. Some guidelines are available in Microsoft forums here: Disable or exclude credential providers. These instructions to remove other credential providers are generic and are outside the scope GlobalProtect.
*Modifying the value of this registry HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\SetGPCPDefault has the desired effect on GlobalProtect SSO, only with GlobalProtect versions 4.0 and later.
For Windows 7 and Windows Vista
Actions you can take to ensure GlobalProtect SSO works as expected include:
- If there are other third-party credential providers that interfere with GlobalProtect, use SSO wrapping (provided by GlobalProtect) to get SSO to work.
- If the SSO wrapping approach does not help, ask customers to consider using Kerberos authentication.
For Windows 8 and Windows 10
Because changes Microsoft had made to Windows login and the credential provider framework, users have to set GlobalProtect as the default sing-in option to ensure GlobalProtect SSO works as expected. Once set, Windows stores the sign-in option. Users don’t have to set this option each time they log in. With GlobalProtect 4.0 and later, you can use SetGPCPDefault to 1 force GlobalProtect to be the default credential provider.
Helpful? Leave a thumbs up and let Siva know. Feel free to ask a question or leave a comment, too!
By Sivasekharan Rajasekaran