Month: May 2023

Situation: The client just migrated one of their tenants into other one. After the migration, some Outlook profiles may have issues with Autodiscover being able to create a new profile due to legacy registry entries.

Resolution 1:

Use ExcludeLastKnownGoodUrl to prevent Outlook from using the last known good AutoDiscover URL

Configure one of the following registry subkeys as follows:

HKEY_CURRENT_USER\Software\Microsoft\Office\<x.0>\Outlook\Autodiscover
DWORD: ExcludeLastKnownGoodUrl
Value: 1

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\<x.0>\Outlook\Autodiscover
DWORD: ExcludeLastKnownGoodUrl
Value: 1

 Note:

The <x.0> place holder represents your version of Office (16.0 = Office 2016, Microsoft 365 and Office 2019, 15.0 = Office 2013).

When the ExcludeLastKnownGoodUrl value is set to 1, Outlook does not use the last known working AutoDiscover URL.

Resolution 2:  

Search for a registry entry that is tied to the old tenant and delete it.  There may be multiple identities that will need to be reviewed to find the identity tied to the migrated tenant.

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Identities\xxxxx-xxxxx-xxxxxx-xxxxxx-xxxxxxxxxx_ADAL

Note:

 Backup up the entire registry key and all sub keys in the c:\temp folder before deleting.

Situation: When a user tries to activate Du Mobile, he gets this error message: “Safari can’t open the page because the address is invalid”

Troubleshooting:

When you activate the Duo Mobile at first time, you may receive two SMS messages. You should tap on the first one Welcome to Duo! To Install the Duo Mobile app……

If you haven’t installed the DUO Mobile and tap the second message “To active the Duo Mobile app”, you will receive the “Safari cannot open the page because the address is invalid” message.

Otherwise, check this.

To fix the issue with Safari on your iPhone displaying the error message “Safari can’t open the page because the address is invalid,” you can try the following troubleshooting steps:

1. Check the internet connection: Ensure that your iPhone is connected to a stable and reliable internet connection, such as Wi-Fi or cellular data. Try loading other websites or apps to verify if the issue is specific to Safari or affecting the entire internet connection.
2. Verify the website address: Double-check the URL or website address you are trying to access. Make sure there are no typos or errors in the URL. You can also try searching for the website through a search engine to see if it appears in the results.
3. Clear Safari cache and website data: Go to Settings on your iPhone, scroll down and tap on “Safari.” Within the Safari settings, select “Clear History and Website Data.” This will clear any stored data and cache for Safari, which can sometimes resolve issues with invalid addresses.
4. Restart Safari: Close the Safari app completely by double-clicking the home button (or swiping up from the bottom on iPhone X and newer models) and swiping Safari off the screen. Then, relaunch Safari and try accessing the webpage again.
5. Restart your iPhone: Perform a restart of your iPhone by pressing and holding the power button (or the power button and volume button together on newer models) until the “Slide to power off” slider appears. Slide it to turn off your iPhone, wait for a few seconds, and then press and hold the power button again until the Apple logo appears.
6. Update iOS: Ensure that your iPhone is running the latest version of iOS. Go to Settings, select “General,” and then tap on “Software Update.” If an update is available, follow the on-screen instructions to download and install it.
7. Reset network settings: If the issue persists, you can try resetting the network settings on your iPhone. Go to Settings, select “General,” scroll down and tap on “Reset,” and choose “Reset Network Settings.” Note that this will remove your saved Wi-Fi networks, so you will need to reconnect to them afterward.

Situation: After importing some users on DUO admin panel, the client doesn’t see the option to activate the duo mobile.

However, if he adds a user manually, he does see Activate Duo Mobile under Phones.

Resolution: Go to Duo admin panel > Users >, select affected username, then scroll down until you can see phone section.

After that please click the problematic phone number, then scroll down to setting and change type to the user’s mobile device OS type to Generic Smartphone and save.

Once you change the type of the user’s device, you should be able to send them a Duo activation link.

 

 

If your emails are getting stuck in the Outbox folder in Microsoft Outlook, there are several troubleshooting steps you can try to resolve the issue:

1. Check your internet connection: Ensure that you have a stable and active internet connection. Poor or intermittent connectivity can prevent emails from being sent.
2. Review email settings: Verify that your email account settings in Outlook are correctly configured. Check the server settings, ports, and authentication settings to ensure they match the requirements of your email provider. You may need to contact your email service provider for the correct settings.
3. Clear the Outbox: Sometimes, a corrupted email or attachment can cause emails to get stuck in the Outbox. Clearing the Outbox folder can help resolve this issue. Right-click on the Outbox folder and select “Empty Folder” or “Delete All”.
4. Disable add-ins: Add-ins in Outlook can sometimes interfere with the sending of emails. Try disabling any recently installed or suspicious add-ins to see if it resolves the problem. You can access the add-ins manager in Outlook’s settings or options menu.
5. Send/Receive manually: Instead of relying on automatic send/receive intervals, try manually sending the email. Click on the “Send/Receive” tab in the Outlook ribbon and then click “Send All” or press F9 to initiate a manual send/receive.
6. Check email size and attachments: Large attachments or emails with extensive content may take longer to send. If you’re sending large files, consider compressing them into a zip file or using cloud storage services for sharing links instead.
7. Update Outlook: Ensure that you have the latest updates installed for Microsoft Outlook. Updates often include bug fixes and improvements that can resolve issues like emails getting stuck in the Outbox.
8. Temporary disable antivirus/firewall: In some cases, security software or firewalls can interfere with email sending. Temporarily disabling these programs can help determine if they are the cause of the issue.

Q: We configured PA 850 firewall to use DUO for GloablProtect MFA. It works. However, we have an issue. In GloablProtect Gateway Configuration>Agent>Client Settings, if I add a user, for example blin. it works fine. If I add an AD OU, for example Employees, the login user will get two DUO approval popup twice.

From the DUO Authentication, I can see two Granted.

Why it works if I add a user manually one by one, but it popup for two MFA approvals if I add the group or UO to the Gateways?

Troubleshooting: If you configure DUO MFA on both the Portal and the Gateway,  you may want to enable Authentication cookies at all to avoid the double prompt.

To resolve this matter, please follow the step-by-step instructions provided below:

1. Go to Network > Global Protect > Gateways.
2. Locate the Gateway Profile and click on “Agent,” followed by “Client Settings.”
3. Select the “End Users Agent” and navigate to the “Authentication override” tab.

4. Ensure that both the “Generate cookie for authentication override” and “Accept cookie for authentication override” options are checked.

5. By default, the “Cookie Lifetime” is set to 8. Please verify this value and make adjustments if necessary.

6. Finally, select a “Certificate to Encrypt/Decrypt Cookie.”

7. Click OK and then Commit.

This is from PA support:

Please note that these changes need to be implemented on both the DUO MF VPN and End Users agents:

1. Navigated to: Network > GlobalProtect > Portals > Agent > Authentication.
2. Set the “Save User Credentials” option to “yes” per your request.
3. Verified that “Generate cookie for authentication override” is enabled under Authentication Override, while “Accept cookie for authentication override” is disabled.
4. Selected the certificate profile.
5. Adjusted the cookie lifetime to expire in 7 days.

Regarding the gateway, we made the following modifications:

1.Accessed: Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override.
2. Ensured that “Generate cookie for authentication override” is disabled, and “Accept cookie for authentication override” is enabled.

Situation; The user can’t login GloablProtect.

Troubleshooting: We find the DUO Security sends a User lockout report email. We also see the Lockout notification on DUO Website

Login the DUO website and unlock it by check Active.

 

I configured DUO Proxy for GloablProtect MFA redundancy on our PA 850 firewall using Authentication Sequence. This post shows how I configured: Configure two duo proxy servers for Palo alto firewall MFA redundancy – Net/PC How to (howtonetworki…

The problem I have is when the top Authentication profile or DUO Proxy server is down, then the user can’t login to GloablProtect. The DUO Proxy server and PA authentication profile is not the issue because I can run the test command successfully.

test authentication authentication-profile <authentication-profile-name> username <username> password

Alos, if I move the second profile (DUO Authentication-2 in my example) to the top, it works.

The problem is if the top authentication DUO proxy server (DUO Authentication-2) is down, no one can’t login.  MONITOR>Logs>System doesn’t have authentication information. If I move the second authentication profile (DUO Authentication in my example) to the top, then it works again. I think it is Authentication Sequence problem but can’t figure out how to fix it.

Troubleshooting:

By default, GlobalProtect’s timeout is 30 seconds. If you setup timeout 30 (seconds) x 3 (retries), Authentication Sequence may not work or timeout.

You’ll need to adjust things a bit to account for the delay being introduced by the authentication sequence and the down host. This setting works for us.

On the first RADIUS Profile

On the second RADIUS Profile.

Please refer to this document:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A…

Situation: Some of client’s users can’t login their GloablProtect. When checking the Monitor>Logs>Traffic, they don’t see any users’ access information.

Troubleshooting: For troubleshooting VPN issue, it is better to check Monitor>Logs>System instead of Traffic. This post may help:

Can’t login GloablProtect with User is not in allowlist

 

Problem: We have PA firewall 440. We have added dropbox.com to OBJECTS>Custom Objects>URL Category and can login dropbox. However, can’t download files with these errors: .pdf files are supported but something went wrong or There was an error downloading your file.

Troubleshooting:

1. Login PA firewall.
2. Go to MONITOR>Logs>URL Filtering.
3. Add the source IP address, for our example ( addr.src in 192.168.10.10 ).
4. We can see ACTION block-url and URL for example previews.dropbox.com.

5. After we add previews.dropbox.com/, consent.dropbox.com/, we can download files from Dropbox.

Note: Dropbox uses a mix of random URL and includes across multiple domains.  Here are some exalples:

dropbox.com/
*.dropbox.com/
dropboxapi.com/
*.dropboxapi.com/
getdropbox.com/
*.getdropbox.com/
dropboxstatic.com/
*.dropboxstatic.com/
dropboxcaptcha.com/
*.dropboxcaptcha.com/

So, the best resolution is configuring a security rule. Please refer to this post:

Create a Policy to allow accessing Dropbox on PA Firewall