To resolve this issue, checking the following:
- Ensure that the public DNS is able to resolve the PCS hostname/Sign-In URL to one IP address.
- Ensure that pop-up blocker and ActiveX are not disabled in the browser.
- Test the user experience in different browsers such as IE, Mozilla Firefox, and so on.
If the problem persists, review the debuglog.log (under C:/Users/Public/Logging or C:/ProgramData/PulseSecure/Logging) and confirm if the following log entries appear:
dsTermServ.exe dsTermServProxy p6256 t2768 DSSSLSock.cpp:2539 - 'dsssl'
InitializeSecurityContext failed. Error 0x80090308
dsTermServ.exe dsTermServProxy p6256 t2768 DSSSLSock.cpp:2328 - 'dsssl'
ClientHandshakeLoop failed. Error 0x80090308
dsTermServ.exe dsTermServProxy p6256 t2768 DSSSLSock.cpp:3243 - 'dsssl'
ApplyControlToken failed. Error 0x80090301
dsTermServ.exe dsTermServProxy p6256 t2768 ncp.cpp:2026 - 'main'
SSL connect failed. Error 536875113
If the log entries appear, review the device certificate and its certificate chain to confirm which certificate is signed by an MD2 or MD5 algorithm.
To validate the device certificate and its chain, you can use Symantec SSL Checker
. If the device certificate or an intermediate certificate is signed by an MD2 or MD5 algorithm, please contact the certificate authority to obtain the latest CA and install these on the PCS device. If the root certificate is using an MD2 or MD5 algorithm, you may delete the problematic CA under Configuration
> Trusted Server CA's
(in the Admin UI).