I'm trying to configure SmartCart(PIV) authentication for our Palo Alto GlobalProtect VPN client on our Mac laptops. We are currently able to successfully use our PIV readers and SmartCards with Centrify Express to authenticate to different services through the Safari so I know Centrify Express is, at least, installed and configured somehwat correclty.
The issue that we have is that when the GlobalProtect client prompts for a cert to use for authentication, we are never prompted to enter a PIN. Instead, we are repeatedly prompted to pick which cert on the SmartCard we want to use and after selecting a cert we are prompted again. This process repeats indefinitely until the process is cancled instead of selecting a cert.I know that the system is able to read the SmartCard as the only certs that show are the ones I know to be on the SmartCard but I'm not sure why I do not get prompted to enter a PIN. I've worked with PaloAlto support which has informed me that they do not make calls for the certs/PIN and that's handled by a 'middle man' which in our case is Centrify.
Has anyone had success using Centrify Express for Smart Cards on their Mac for VPN authentication via a client and not web browser? More specifically, has anyone been able to configure this for use with Palo Alto's GlobalProtect VPN? Lastly, is the information Palo Alto support is providing correct regarding 'middle man' handling of certs?
macOS version: 10.12.3
Centrify Express for Smart Card version: 5.3.3
GlobalProtect Client version: 3.1.3-21