Why GlobalProtect Credential Provider (CP) is the default sign-in option just after the GlobalProtect Install

Why GlobalProtect Credential Provider (CP) is the default sign-in option just after the GlobalProtect Install

14139
Created On 11/06/19 21:27 PM - Last Modified 11/07/19 02:23 AM


Question
Why GlobalProtect Credential Provider (CP) is the default sign-in option just after the GlobalProtect Install?

GlobalProtect CP is default sign-in option


Environment
  • Palo Alto Firewall.
  • PAN-OS 8.0 and above.
  • GlobalProtect App/Agent 4.0. and above.


Answer

SSO is widely deployed in Windows environment, therefore, GlobalProtect Credential Provider (CP) is the default sign-in option just after the GP installment. SSO will fail if GlobalProtect CP is not selected by default after installation.

  • The behavior is controlled by HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key which is set to 1 by default.

IsGPCPFirstTime=1 (Default)

  • After the first login, the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key is automatically set to 0.

 

IsGPCPFirstTime=0 (After first login)


In case the GP CP does not need to be in the default selection immediately after installation, the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\IsGPCPFirstTime registry key needs to be set to 0 immediately after GP installation. 

 



Additional Information
NOTE: Generally, changing the registry key is Windows OS function and can be achieved in different ways, please use the method that suits your environment.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PNMr&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments