Troubleshooting

Configure Palo Alto Networks GlobalProtect to Address the Double-authentication Problem

Please follow these steps to remove the double authentication problem of the Palo Alto Networks VPN client. These steps require a change in the Portal and in the Gateway configuration.

Step 1 - Configure the Portal

From Palo Alto Web Management Site, go to Network → GlobalProtect → Portals and select the GlobalProtect Portal Configuration item associated with the endpoint that needs to be modified (e.g.,. pa-vpn-02).
Click on the name of the GlobalProtect item that you want to configure. The following screen will appear:
Go to the “Agent” section on the menu on the left. From the “Agents” table, click on the item you would like to configure (e.g., pa-vpn-client-02).
The following screen will appear:
From the “Authentication” tab, configure the “Authentication Override” section as follows:
Check the checkboxes next to the following items:
  • Generate cookie for authentication override
  • Accept cookie for authentication override
Set the attributes to following values as described:
  • Cookie Lifetime: “Hours” and “24”
  • Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02).
Click “OK” to save the settings.
Certificate example: The following screen shows a sample certificate for the Pa-vpn-server-02 location:
Sample Pa-vpn-server-02 certificate details:

Step 2 - Configure the Gateway

Go to Network → GlobalProtect → Gateways. Select the GlobalProtect Gateway Configuration item associated to the endpoint that you would like to configure (e.g., pa-vpn-gateway-02), and click on it:
The following screen will appear:
Go to the “Agent” section on the menu on the left. From the “Client Settings” tab, click on the item you would like to configure (e.g., pa-vpn-client-02). Then, select the “Authentication Override” tab:
From the “Authentication Override” tab, configure the following options:
Check the boxes next to the following items:
  • Generate cookie for authentication override
  • Accept cookie for authentication override
Set the attributes to the following values as described:
  • Cookie Lifetime: “Hours” and “24”
  • Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02)
Click “OK” to save the settings.
Back on the GlobalProtect Gateway Configuration screen, click on the “OK” button.

Step 3

Commit all changes using the Palo Alto Networks management portal.