Troubleshooting

Configure Palo Alto Networks GlobalProtect to Address the Double-authentication Problem

Please follow these steps to remove the double authentication problem of the Palo Alto Networks VPN client. These steps require a change in the Portal and in the Gateway configuration.

Step 1 - Configure the Portal

From Palo Alto Web Management Site, go to Network โ†’ GlobalProtect โ†’ Portals and select the GlobalProtect Portal Configuration item associated with the endpoint that needs to be modified (e.g.,. pa-vpn-02).
Click on the name of the GlobalProtect item that you want to configure. The following screen will appear:
Go to the โ€œAgentโ€ section on the menu on the left. From the โ€œAgentsโ€ table, click on the item you would like to configure (e.g., pa-vpn-client-02).
The following screen will appear:
From the โ€œAuthenticationโ€ tab, configure the โ€œAuthentication Overrideโ€ section as follows:
Check the checkboxes next to the following items:
  • Generate cookie for authentication override
  • Accept cookie for authentication override
Set the attributes to following values as described:
  • Cookie Lifetime: โ€œHoursโ€ and โ€œ24โ€
  • Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02).
Click โ€œOKโ€ to save the settings.
Certificate example: The following screen shows a sample certificate for the Pa-vpn-server-02 location:
Sample Pa-vpn-server-02 certificate details:

Step 2 - Configure the Gateway

Go to Network โ†’ GlobalProtect โ†’ Gateways. Select the GlobalProtect Gateway Configuration item associated to the endpoint that you would like to configure (e.g., pa-vpn-gateway-02), and click on it:
The following screen will appear:
Go to the โ€œAgentโ€ section on the menu on the left. From the โ€œClient Settingsโ€ tab, click on the item you would like to configure (e.g., pa-vpn-client-02). Then, select the โ€œAuthentication Overrideโ€ tab:
From the โ€œAuthentication Overrideโ€ tab, configure the following options:
Check the boxes next to the following items:
  • Generate cookie for authentication override
  • Accept cookie for authentication override
Set the attributes to the following values as described:
  • Cookie Lifetime: โ€œHoursโ€ and โ€œ24โ€
  • Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02)
Click โ€œOKโ€ to save the settings.
Back on the GlobalProtect Gateway Configuration screen, click on the โ€œOKโ€ button.

Step 3

Commit all changes using the Palo Alto Networks management portal.