GlobalProtect Auth Fails When Client Cert Has Special Character in Subject (common-name)
Created On 04/22/19 14:59 PM - Last Modified 06/26/20 01:04 AM
- GlobalProtect configured with only Certificate-Based Authentication
- Certificate profile is configured with Username Field as Subject (Common Name)
- When the portal log in is attempted using a web browser, it prompts to select the client cert.
- Upon selecting correct cert, it prompts, "Valid Client certificate is required"
- Certificate with Common Name without a special character works fine
- Client machine installed with Client Cert with Common Name containing special character fails to connect with below error:
Connection Failed: The server certificate is invalid. Please contact your administrator
- Checking the appweb3-sslvpn.log (located by navigating to the var > log > pan > appweb3-sslvpn.log directory of the tech support file) will reveal the following log entry below- (When
Note: In this example, the client certificate has common name "support+it".
2020-06-25 17:34:32.824 -0700 Error: sslvpn_field_filter_check(sslvpn_field_filter.c:183): sslvpn user input for user-name is not allowed (support+it). 2020-06-25 17:34:32.824 -0700 Error: panGlobalProtectPreLogin(panPhpGlobalProtect.c:1597): panGlobalProtectPreLogin error: cert_present: no
- GlobalProtect configured with only Certificate Based Authentication.
- Certificate Profile is configured with Username Field as Subject (Common Name).
- Active Directory user and group names cannot contain any of the characters inside the parenthesis (/ \ [ ] : ; | = , + * ? < > ").
- These cannot be supported on the client cert subject if cert only authentication is configured, which fetches the username from the common name.
- Do not use client Certificate with common name containing special characters / \ [ ] : ; | = , + * ? < > " as they are not supported.