Author: Bob Lin

Situation: The client sends a new Laptop to their new user. However, the user can’t login preset domain credentials because the password (we test it by login office.com and local network PC).

Troubleshooting: We need to reset password and re-sync the laptop with the DC with VPN.

1. Login local admin account on the laptop.
2. Establish the VPN to connect to the Office DC.
3. To test and force the new password to sync, you can use net use command, for example net use \\sharedservername. Then enter the username and password. If it is successful, you are good to login remotely.

In a case, you can’t login PA firewall because the MFA doesn’t work. What can you do or how do you disable MFA?

Resolution 1: Disable or change Authentication Profile on PA Firewall

1. Login PA Firewall from a back door (a local user without MFA enabled account).
2. Go to DEVICE>Administration. Disable or change the Authentication Profile?

Resolution 2:  Disable MFA (multi-factor authentication) and 2FA (two-factor authentication) on your security app or access tools

In this post we use DUO as example.

1. Login duo.com
2. Click Users on the left pane.

3.  Click on the user who has a problem to login PA firewall.

4. Switch from Active to Bypass.

5. Click Save Change. Now, try to login again.

Situation: After client configures DUO MFA on their Palo Alto Firewall, one of users has a problem to login the firewall with this message:

Failed authentication for user ‘username’.
Reason: Invalid username/password. auth profile
‘DUO Authentication’, vsys ‘shared’, server profile
‘DUO Radius Profile’, server address ‘10.0.0.11’,
auth protocol ‘PAP’, reply message
‘Invalid username or password’ From: 10.0.0.11.

Troubleshooting: Make sure Duo Mobile app is not deactivated. Also make sure the account of DUO-PROTECTED had not been disabled on the DUO app.

Please refer to this post:

• Fixing Palo Alto Firewall Authentication Issues: Timeout

Also please refer to this post:

• How to install or Activate DUO app

Situation: The client just configures MFA for their PA 850 Firewall and test works. However, they can’t login with timeout message:

Troubleshooting: in most cases, this is an authentication server is inaccessible issue. When we check DUO status, we find it was denied because of Location Unknow.

For a temporary solution, we enable Bypass on the DUO website.

Then we find the problem is the DUO app Notification was off. After turning it on, we can login PA 850 without any issues.

Online research suggestion it could be the Duo Mobile app to deactivate. Also make sure the account of DUO-PROTECTED had not been disabled on the DUO app.

Please refer to this post:

• How to install or Activate DUO app

Situation: The client has an error on their certification settings.

Resolution. Install the CA Root certification in the Trusted Root Certification Authorities store.

1. Click on Install Certificate….
2. Check Local Machine and then Next.

3.  Check Place all certificates in the following store and browse to Trusted Root Certification Authorities.

4. Click on Finish to Complete the Certificate Import Wizard.

5. make sure the CA Root certificate is listed in Trusted Root Certification. 

6. Double click it to make sure no more errors.

Situation: When accessing ADFS SSO website, for example https://ADFS.chicagotech.net/adfs/ls/IdpInitiatedSignon.aspx, you may receive this message:

SSO

An error occurred

The resource you are trying to access is not available. Contact your administrator for more information.

Error details

• Activity ID: 42cb00xxxxxxxxxxxxxxxx
• Error details: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
• Node name: 53709axxxxxxxxxxxxxxx
• Error time: Tue, 03 Jan 2023 17:36:52 GMT
• Cookie: enabled
• User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.46.

Troubleshooting:

Case 1: IdpInitiatedSignonpage could be disabled. Try this PowerShell command:

Set-AdfsProperties -EnableIdpInitiatedSignonpage $True

Case 2: Also check the certification for any errors. in our example, The CA Root certificate is not trusted.

Please refer to this post:

• Fixing This CA Root certification is not trusted

In a case, the Windows doesn’t work or crash, you may want to run this command line to Reset PC: systemreset.exe. 

Situation: In some cases, you may want to recovery a crashed Windows OS. You may have many options to do so.

1. Normally, you can go to Settings>System>Recovery>Reset this PC>Reset PC.

However, in many situations, you may not be able to do that because the Windows Freezes or keyboard/mouse doesn’t work, or nothing is running.

2. With the device is powered off, press and hold the Windows Key and press the power button. Then release both keys.

3. If you can login, click the Power Button icon while hold the SHIFT Key and click Restart.

4. If you can access the Desktop, select Start>Power, and then press and hold Shift key while clicking Restart.

5. At the command prompt, run the Shutdown /r /o command.

6. Run this command: systemreset.exe

7. Boot from DVD or USB Recovery Media

1) Insert the recovery media into a USB port or a DVD drive, depending on the format you used to create the recovery media.

2) Power the computer off.

3) Power the computer on. At the Dell logo screen, tap the F12 key several times until you see Preparing one time boot menu in the top-right corner of the screen.

4) At the boot menu, select the device under UEFI BOOT that matches your media type (USB or DVD).

If you have a problem to run System Restore using GUI, you can try command: rstrui.exe from the Task Manager.

Situation: After committing a new configuration on PA 440 firewall, the client loses the Internet connection.

Troubleshooting:

1. Cannot ping the firewall default gateway IP address.
2. Still can access the Management IP. Go to DEVIC,>Operation, select Revert to last saved configuration or Load named configuration snapshot.