Failed to obtain WebVPN cookie

[TheRealIndru]

Hi,

I am having basically the exact same issue like here: https://github.com/dlenski/gp-saml-gui/issues/6

Problem is, the solution from that thread doesn't work for me.

Where can I find the second cookie and how exactly am I supposed to use it? Where to input it?

Output of what-vpn is

PAN GlobalProtect (portal+portal wants SAML REDIRECT)

Commands I issue that got me the furthest are:

Command 1: eval $( gp-saml-gui --portal --clientos=Windows gp-portal.companyserver.com) Output:

Looking for SAML auth tags in response to https://gp-portal.companyserver.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE   ] Finished loading page ##Censored URL
[PAGE   ] Finished loading page https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/login
[PAGE   ] Finished loading page https://login.microsoftonline.com/common/SAS/ProcessAuth
[PAGE   ] Finished loading page https://gp-portal.companyserver.com/SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': 'myusername', 'prelogin-cookie': 'oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML   ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.

SAML response converted to OpenConnect command line invocation:

    echo oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=myusername --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin gp-portal.companyserver.com

SAML response converted to test-globalprotect-login.py invocation:

    test-globalprotect-login.py --user=myusername --clientos=Windows -p '' \
         https://gp-portal.companyserver.com/global-protect/getconfig.esp prelogin-cookie=oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P

Command 2:

openconnect -vvv --protocol=gp '--useragent=PAN GlobalProtect' --user=myusername --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin gp-portal.companyserver.com
oBw1XGMBSt/LwN5DgZ9hGulhd5o8A4Y3DT1E8f8/dbiqpQ5+xoZKy7RMtVDN+h7P ##Cookie on line 2

Output 2:

POST https://gp-portal.companyserver.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 1.2.3.4:443 ##Dummy IP, had to censor.
Connected to 1.2.3.4:443 ##Dummy IP, had to censor.
SSL negotiation with gp-portal.companyserver.com
Connected to HTTPS on gp-portal.companyserver.com
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1518
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; path=/; secure; httponly
Set-Cookie: PHPSESSID=704bc0af7c423ec0110f6edcccb40e49; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (1518)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
SAML login is required via REDIRECT to this URL:
    ##Removed URL for privacy purposes.
Enter login credentials
POST https://gp-portal.companyserver.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 36230
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=227b0d1bfae458f97d24350e7d19e909; path=/; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (36230)
4 gateway servers available:
  Germany - Frankfurt (frankfurt-gp-companyserver.com)
  Great Britain - London (london-gp-companyserver.com)
  Spain - Madrid  (madrid-gp-companyserver.com)
  Sweden - Stockholm (stockholm-gp-companyserver.com)
Please select GlobalProtect gateway.
GATEWAY: [Germany - Frankfurt|Great Britain - London|Spain - Madrid|Sweden - Stockholm]:Great Britain - London ##I just paste the gateway here
POST https://london-gp-companyserver.com/ssl-vpn/login.esp
Attempting to connect to server 4.3.2.1:443 ##Gateway IP, censored
Connected to 4.3.2.1:443 ##Gateway IP, censored
SSL negotiation with london-gp-companyserver.com
Connected to HTTPS on london-gp-companyserver.com
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 24 Oct 2022 12:27:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 128
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Set-Cookie: PHPSESSID=184f2f5f1170699f62195f44abda3714; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (128)
Authentication failure: Invalid username or password
Failed to obtain WebVPN cookie

Thank you!

[dlenski]

Good description of the problem but

Failed to obtain WebVPN cookie

… indicates that you're using a very old version of OpenConnect. This confusing message was changed in v8.20: https://gitlab.com/openconnect/openconnect/-/commit/ce8c6968f524aaa6d8387a3c63e9cdbce88f3c59

In v8.20 and newer releases, we've made a number of improvements to the GlobalProtect protocol implementation.

For your purposes, the most critical one is Pass "portal cookie" fields from GlobalProtect portal to gateway to avoid repetition of password- or SAML-based login (!199).

Please upgrade and retry.

[TheRealIndru]

Hi, It seems after update the error is: Valid client certificate is required. Failed to complete authentication.

openconnect -V output: OpenConnect version v9.01-0-focal2 Using GnuTLS 3.6.13. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script

How do I pass the certificate to gp-saml-gui? Or do I pass it directly to openconnect?

[dlenski]

How do I pass the certificate to gp-saml-gui? Or do I pass it directly to openconnect?

You pass it directly to OpenConnect. And you can tell gp-saml-gui to pass them along as described in the README.

[TheRealIndru]

It seems I need some kind of private key, the certificate is not enough as it only has certificate + public key. Do you by any chance know how can I extract the proper private key? Where am I supposed to find it?

[dlenski]

It seems I need some kind of private key, the certificate is not enough as it only has certificate + public key. Do you by any chance know how can I extract the proper private key? Where am I supposed to find it?

Without knowing where the certificate and private key are stored… I have no idea.

Educated guess: your certificate is stored in a Windows certificate store where the private key is marked as "non-exportable", and you'll need to use a tool like mimikatz. https://gitlab.com/openconnect/openconnect/-/issues/188#note_438751439