GlobalProtect Auth Fails When Client Cert Has Special Character in Subject (common-name)

GlobalProtect Auth Fails When Client Cert Has Special Character in Subject (common-name)

19917
Created On 04/22/19 14:59 PM - Last Modified 06/26/20 01:04 AM


Symptom
  • GlobalProtect configured with only Certificate-Based Authentication
  • Certificate profile is configured with Username Field as Subject (Common Name)
  • When the portal log in is attempted using a web browser, it prompts to select the client cert.
  • Upon selecting correct cert, it prompts, "Valid Client certificate is required"
  • Certificate with Common Name without a special character works fine
  • Client machine installed with Client Cert with Common Name containing special character fails to connect with below error:
Connection Failed: The server certificate is invalid. Please contact your administrator

      User-added image
  • Checking the appweb3-sslvpn.log (located by navigating to the var > log > pan > appweb3-sslvpn.log directory of the tech support file) will reveal the following log entry below- (When
Note: In this example, the client certificate has common name "support+it".
2020-06-25 17:34:32.824 -0700 Error:  sslvpn_field_filter_check(sslvpn_field_filter.c:183): sslvpn user input for user-name is not allowed (support+it).
2020-06-25 17:34:32.824 -0700 Error:  panGlobalProtectPreLogin(panPhpGlobalProtect.c:1597): panGlobalProtectPreLogin error: cert_present: no 


Environment
  • GlobalProtect configured with only Certificate Based Authentication.
  • Certificate Profile is configured with Username Field as Subject (Common Name).


Cause
  1. Active Directory user and group names cannot contain any of the characters inside the parenthesis (/ \ [ ] : ; | = , + * ? < > ").
  2. These cannot be supported on the client cert subject if cert only authentication is configured, which fetches the username from the common name.


Resolution
 
  1. Do not use client Certificate with common name containing special characters  / \ [ ] : ; | = , + * ? < > " as they are not supported.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLhx&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language