We are using Duo to protect Palo Alto’s GlobalProtect VPN application and have the application configured in Duo Admin to use both SSO (SAML, Azure AD) and the new Universal Prompt. Out of about 100 clients, five of them have run into issue with the VPN connection process. When the process works, the user opens GlobalProtect, clicks ‘Connect’, approves the Duo Push notification, and sees a succesful VPN connection. When the process fails, it is failing somewhere between the user clicking ‘Connect’ and Duo sending out the push notificiation. Each user has had a slightly different experience when it fails. Here’s what we have observed:
- a blank GlobalProtect browser window opens (where we would normally see the Duo Universal Prompt)
- a blank GlobalProtect browser window opens AND the user receives a Java script error.
- GlobalProtect’s browser window opens and states it cannot connect securely to this page (due to outdated or unsafe TLS security settings).
As a workaround, we have been able to resolve the issue by opening Internet Options, clicking the Advanced tab, and choosing one or more of the following:
- Restore Advanced Settings
- Restore Advanced Settins & reset Internet Explorer settings without deleting personal settings.
- Restore Advanced Settings, reset Internet Explorer settings WITH the delete personal settings checkbox checked.
Any suggestions for troubleshooting this further and determining what is broken? Can we enabling any kind of debug logging with the Duo Universal Prompt or SSO service? so we can see what Duo is seeing (and not liking) on these few machines?