Hi Timdor,
Welcome to Centrify and thank you for your inquiry.
In reading the configuration from PaloAlto GlobalProtect, it seems that they only provide the way for certificate authentication but not smartcard authentication:
From the description you mentioned, there are actually 2 issues:
1. No PIN prompt when trying to access the vpn
2. Certificate Authentication failure (that's why the prompt will repeatedly show up)
Firstly, for the issue regarding (1), this is the process that used to "un-lock" the smartcard to allow the use of the certiicate inside. PaloAlto GlobalProtect seems only support for certificate authentication but not smartcard authentication which means they do not have any module to involve the smartcard process. You could also refer to the below page of Smartcard Express Assistant that we support for those federal, defense and first-responder communities that require smart card authentication for CAC, CAC NG, and PIV smart cards:
Secondly, for the issue regarding (2), the prompt kept poped up because of the failure of authentication. From the article I mentioned above, you may need to cross check with the configuration to see if it is configured for certificate authentication. For further help regarding the configuration, you will need to reach PaloAlto for help.
Hope this helps.
Best Regards,
Albert