Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN
Prompts
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (managed by Panorama)
- Prisma Access (managed by Panorama or Strata Cloud
Manager)
- Windows endpoints only
|
- GlobalProtect Gateway license or Prisma Access license with
the Mobile User subscription
- GlobalProtect app version 6.3.0 or later
|
When Connect Before Logon (CBL) is configured for the GlobalProtect app, users can
now authenticate with a smart card and ActivClient software without being prompted
to enter their PIN multiple times. Previously, users were required to enter the
smart card PIN multiple times—once by the Windows identity provider and again by
ActivClient—when using GlobalProtect with CBL. This enhancement eliminates redundant
prompts, allowing the GlobalProtect app to request the smart card PIN only once, via
ActivClient.
To use this feature, you must meet the following prerequisites:
- Ensure that GlobalProtect portal is predeployed.
- Ensure that Connect Before Logon (CBL) mode is configured for the
GlobalProtect app.
- Ensure that the Use Single Sign-On for Smart Card PIN
(Windows) option is No (default
value) in the app settings of the GlobalProtect portal configuration.
End users have to reenter the smart card PIN in the following scenarios because the
ActivClient software clears the PIN cache when the
- User logged out of the system
- User switched user on the device
- System was rebooted by the user
End users do not have to reenter the PIN when the system wakes up from sleep mode or
hibernation mode.
