GlobalProtect App prompts the user for username and password on a mobile device

GlobalProtect App prompts the user for username and password on a mobile device

14109
Created On 04/10/20 03:59 AM - Last Modified 06/17/20 02:40 AM


Symptom
  • When a user launches an application on their mobile device that requires VPN connection, with GlobalProtect App installed the 1st time, a notification could come up indicating "Sign-in is required".
  • The application launched by the user could become unresponsive (e.g. blank screen) until the user switches to the GlobalProtect App user interface and enters their credential to proceed with connection establishment.
  • The application becomes responsive after VPN connection established.


Environment
  • GlobalProtect Gateway configured with Authentication Profile using authentication services like RADIUS or LDAP
  • GlobalProtect App configured to connect to this Gateway
  • Any PAN-OS
  • Any Palo Alto Firewall.


Cause
Mobile applications can behave differently based on the design and limitations in their corresponding mobile operating system.

The reason for GlobalProtect App prompting the user for user name and password is because of the authentication profile (e.g. using RADIUS or LDAP services)  selected in Gateway configuration.

Authentication protocols like RADIUS and LDAP often require username/password combination. The GlobalProtect app would fetch the information from the user to be presented to the authentication server at the backend. This behavior is by design.

Even in some rare scenario where authentication server at the backend does not require both user name and password, The end-user experience could also be different using PC (Windows/Mac OS) because, with single sign-on capability, GlobalProtect would forward username/password combination to Firewall for backend authentication without prompting user's input.


Resolution
Enable "Save User Credentials" in client authentication settings under GlobalProtect Portal GUI: Network > GlobalProtect > Portals> (portal name) > Agent > (agent name) > Authentication. So user only needs to enter their username/password combination one time.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PPZd&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments
Choose Language