Forum Discussion

Perschall2022's avatar
10 months ago

Need help with prelogin Intune deployment

Hello, 

I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. 

We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. 

  1. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. 
  2. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. 

Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.)

Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My

All of this was successfully installed, what could I be missing? 

The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. 

DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. 

Thanks, 

5 Replies

  • Hi,

    We have hybrid domain join working with Intune AutoPilot. This configuration includes a Certificate Authority and we deploy certificates from that CA to newly deployed devices using NDES and SCEP. We recently moved from the Windows-based Always-On VPN client to the Cato SDP Client. We just leveraged the existing setup and it works like a charm. No user interaction is needed for deployment and domain joins, etc. So, this is where I'm coming from. 

    Anyway, some things that might be useful to you:

    • We're storing the certificate in the Cert:\LocalMachine\My store, because we use device based connections. But I guess you want user based authentication, so Cert:\CurrentUser\My should be fine.
    • Make sure that the .pfx / PKCS#12 certificate is trusted -> This is important. Which service signed the cert? 
    • If you need access to any on-prem resources, make sure you have those configured in Access / Client Access / Pre Login. If you are doing a hybrid domain join, you need at least a line-of-sight to your domain controllers.
    • In the Registry, add PreLogin = 1 as a DWORD and your subdomain as a STRING. You only need your Cato subdomain, no need to add ".via.catonetworks.com". 
    • The only modification we've made to our ESP is that the Cato client has to be installed before the device can be used. The required Registry keys are deployed using the Intune Platform Scripts feature.
    • We haven't made any changes to your deployment profiles. 


    I don't know enough about your environment, so I assumed a few things. ;-) 

    Hope this helps. 

    Regards,

    Erwin G.

  • I just want to echo Erwin's response regarding installing the certificate for Pre-Login in the LocalMachine store, not the store of the CurrentUser.

    Because Pre-Login is authenticating the machine (specifically not a logged-in user), the Client looks in the LocalMachine store for certificates matching the signing certificate uploaded in CMA.

  • Fingers crossed someone here can help me w/ getting pre login working for Entra Autopilot Hybrid Joining.  The big pre-req for hybrid joining thru autopilot is line of site to the DC and I had been hoping to get that thru the Pre Login feature of the Cato client.  Pre Login is tested and working on already domain joined machines, and works even if a Cato user hasn't been added to the client yet.  Here's what I've been able to accomplish so far:

    • Cato client installed on workstation as a line of business app.
    • Device cert, root cert and intermediate cert from our domain CA pushed to cert:\localmachine\.
      • Trust path verified thru cert manager
    • PreLogin and Subdomain registry keys pushed thru powershell platform script and confirmed on device
    • I can ping sso.ias.catonetworks.com from the device, and if I launch the CatoClient it opens up but just sits at disconnected.  I would expect it to see the reg keys, verify the certs, and then move to the limited access stage.
    • BrianI's avatar
      BrianI
      Comet

      I've found that once the Cato Client is installed, if I restart the CatoNetworksVPNService it will move to the limited connectivity phase which is what I need for Line of Sight to the DC.  Now I just need to figure out how to make sure Cato is installed and the service gets restarted before the Offline Domain Join portion of autopilot times out.

      • ErwinG's avatar
        ErwinG
        Comet

        Hi,

        You're deploying the Cato Registry keys using an Intune Platform Script. Since platform scripts run before the application deployment phase, you should be good there. 

        Just to verify: 

        • The Registry Path: HKLM:\SOFTWARE\CatoNetworksVPN
        • PreLogin (DWORD) with value of 1
        • Subdomain (String) with your subdomain (without .via.catonetworks.com)


        Then install the Cato client via Intune. If your architecture is correct, the Cato client should start and automatically create a connection using a device certificate. Autopilot will then perform the actual domain join during the device configuration phase. 

        Few questions:

        • Have you uploaded the root cert of your CA to the Cato portal? (Access / Client Access / Signing Certificates)
        • Have you configured the allowed destinations (IPs, IP ranges or hosts)? (Access / Client Access / Pre Login). You should have at least the IPs of the domain controller(s) for your domain in there, your CA and possibly KMS Server.
        • Do you use SCEP / NDES to deliver the device certificate to the client? The client needs a signed device certificate to authenticate and connect.