No automatic client reconnection with SSO authentication

ebu · April 21, 2026, 6:59am

Hello,
We are currently looking at changing our Pritunl VPN servers from certificate-based authentication to Azure Entra SSO authentication.
The configuration works without any issues, and we are able to authenticate successfully to the VPN using SSO.
The problem we are facing is the following: previously, with certificate-based authentication, when we added a route on the server, we need to stop the pritunl server and start it after we added the route, all the clients reconnect automatically on the pritunl server. Even if the server was restarted, adding a route was barely noticeable for users.
Now, with the SSO configuration, if I restart the server using the button in the web interface, I get the following messages on the client side:

Connection timed out on Pritunl_server_name (username)
Failed to authenticate to Pritunl_server_name (username)

After that, I am disconnected from my Pritunl client.
I also tested with the ‘Pritunl Authentication Cache’ option enabled, but I observe the same behavior.

After this disconnection, I can reconnect without any issue by simply clicking the Connect button in the Pritunl client.
My question is therefore: is it possible for clients to reconnect automatically when the SSO / Azure Entra authentication is enabled?

Thanks for your time and your work…

Eric

zach · April 22, 2026, 3:40pm

Check the logs in the top right of the server web console for the authentication failure reason. The cache token can expire and will not remain after the client system restarts.

ebu · April 27, 2026, 2:48pm

Sorry for the delay, I had to run additional tests and noticed something strange.

When I click the Restart Server button (between Settings and Stop Server), I get the following message on the client:
Connection timed out on Pritunl_server_name (username)
Failed to authenticate to Pritunl_server_name (username)

At the same time, I see these logs in the top-right corner of the web console:
[server_name3][2026-04-27 14:21:14,128][INFO] Starting vpn server
server_id = “”
instance_id = “”
instances =
instances_count = 0
route_count = 3
network = “ipv4/16”
network6 = “ipv6/64”
ovpn_dco = false
dynamic_firewall = false
bypass_sso_auth = false
geo_sort = false
force_connect = false
sso_auth = true
route_dns = false
device_auth = false
host_id = “id_server_name3”
host_address = “ip_server_name3”
host_address6 = “ipv6_server_name3”
host_networks = [“host_network”]
cur_timestamp = “2026-04-27 14:21:14.127797”
libipt = false
[server_name3][2026-04-27 14:21:14,142][WARNING] Stopping duplicate instance, check date time sync
server_id = “”
instance_id = “69ef6f9d95cb03ff428a98a2”
[server_name4][2026-04-27 14:21:14,275][INFO] Starting vpn server
server_id = “”
instance_id = “69ef70da342fde39bc6428fa”
instances = [{“instance_id”: “”, “host_id”: “id_server_name3”, “ping_timestamp”: “2026-04-27 14:21:44.119000”}]
instances_count = 1
route_count = 3
network = “ipv4/16”
network6 = “ipv6/64”
ovpn_dco = false
dynamic_firewall = false
bypass_sso_auth = false
geo_sort = false
force_connect = false
sso_auth = true
route_dns = false
device_auth = false
host_id = “id_server_name4”
host_address = “ip_server_name4”
host_address6 = “ipv6_server_name4”
host_networks = [“host_network”]
cur_timestamp = “2026-04-27 14:21:14.275010”
libipt = false
[server_name4][2026-04-27 14:21:14,310][WARNING] Stopping duplicate instance, check date time sync
server_id = “”
instance_id = “69ef6f9d342fde39bc642072”
[server_name3][2026-04-27 14:21:22,325][INFO] Authenticating user
user_name = “username”
factors = [“azure”]

After this, the client never reconnects automatically.

If I manually click Connect in the Pritunl client, the following appears in the logs:

[server_name3][2026-04-27 14:22:19,204][INFO] Authenticating user
user_name = “username”
factors = [“azure”]
[server_name3][2026-04-27 14:22:19,213][INFO] Client authentication with sso token
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”
[server_name3][2026-04-27 14:22:19,214][INFO] Client sso authentication, skipping password
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”
[server_name3][2026-04-27 14:22:20,415][INFO] Storing authentication cache token
user_name = “username”
factors = [“azure”]
[server_name4][2026-04-27 14:22:21,303][INFO] Authenticating user
user_name = “username”
factors = [“azure”]
[server_name4][2026-04-27 14:22:21,309][INFO] Client authentication with sso token
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”
[server_name4][2026-04-27 14:22:21,310][INFO] Client sso authentication, skipping password
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”

BUT, If I click Stop Server (between Restart Server and Delete Server), I only get this on the client:

Connection timed out on Pritunl_server_name (username)

The client status stays stuck on “Connecting”, and no logs appear at all in the web console.

When I click Start Server, the Pritunl client briefly shows:
Failed to connect to Pritunl_server_name (username)
However, immediately after that, the connection is actually successful.

Relevant logs:

[server_name4][2026-04-27 14:24:03,376][INFO] Starting vpn server
server_id = “”
instance_id = “”
instances =
instances_count = 0
route_count = 3
network = “ip/16”
network6 = “ipv6/64”
ovpn_dco = false
dynamic_firewall = false
bypass_sso_auth = false
geo_sort = false
force_connect = false
sso_auth = true
route_dns = false
device_auth = false
host_id = “id_server_name4”
host_address = “ip_server_name4”
host_address6 = “ipv6_server_name4”
host_networks = [“host_network”]
cur_timestamp = “2026-04-27 14:24:03.374531”
libipt = false
[server_name3][2026-04-27 14:24:03,374][INFO] Starting vpn server
server_id = “”
instance_id = “69ef718395cb03ff428aa592”
instances =
instances_count = 0
route_count = 3
network = “ipv4/16”
network6 = “ipv6/64”
ovpn_dco = false
dynamic_firewall = false
bypass_sso_auth = false
geo_sort = false
force_connect = false
sso_auth = true
route_dns = false
device_auth = false
host_id = “id_server_name3”
host_address = “ip_server_name3”
host_address6 = “ipv6_server_name3”
host_networks = [“host_network”]
cur_timestamp = “2026-04-27 14:24:03.374061”
libipt = false
[server_name3][2026-04-27 14:24:30,666][INFO] Authenticating user
user_name = “username”
factors = [“azure”]
[server_name3][2026-04-27 14:24:30,670][INFO] Client authentication cached, skipping sso token
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”
[server_name3][2026-04-27 14:24:30,675][INFO] Client authentication cached, skipping password
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”
[server_name4][2026-04-27 14:24:32,837][INFO] Authenticating user
user_name = “username”
factors = [“azure”]
[server_name4][2026-04-27 14:24:32,844][INFO] Client authentication with sso token
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”
[server_name4][2026-04-27 14:24:32,845][INFO] Client sso authentication, skipping password
user_name = “username”
org_name = “org_name”
server_name = “Pritunl_server_name”

So, based on these tests, my understanding is:

When adding or modifying routes (for example), I should stop the server and start it again, rather than using the Restart Server button.

zach · April 27, 2026, 8:34pm

The server should be stopped before modifying routes then started again. It shouldn’t allow route modifications to occur while the server is running.