Reset Search
 

 

Article

KB40180 - Windows security prompt appears after upgrading to 8.1R7 and above

« Go Back

Information

 
Last Modified Date10/4/2016 5:27 PM
Synopsis
This document explains the changes to Pulse Secure Windows Terminal Services (WTS) completed in 8.1RX and 8.2RX.  
 
8.1R6 and below8.1R7 and 8.1R9 / 
8.2R1 to 8.2R5
8.1R10
User clicks on a terminal service
bookmark and the RDP session is established displaying the normal WinLogon screen on the remote host.
User clicks on a terminal service
bookmark and is prompted for credentials with a Windows security pop up.  (Refer to Figure 1.)
The credentials are used to authenticate the user on the remote host, bypassing the WinLogon step. 
Added Disable NLA option
Figure 1

User-added image
Problem or Goal
Cause
As part of the 8.2R1 and 8.1R7 releases, Pulse Secure Terminal Services uses Network Level Authentication (NLA) as the security protocol and sessions configured as Pulse Secure Terminal Services resources use the native Microsoft RDP client (mstsc.exe) to establish the connection to the remote host.  By design, NLA requires the client computer to present user credentials for authentication before the remote session with the server is established.
Solution

What is the impact of these changes?

With these changes the end-user experience will also change when launching Pulse Secure TS sessions as outlined below.  

Use Case #1 

If the remote host machine does not have a valid certificate signed by a trusted CA, the end user will see the following security warning below.  (Although it is not recommended, the user can accept the certificate warning and click "Yes" to connect to the remote host.)

User-added image

Use Case #2

If SSO is not configured in the Terminal Services Resource Profile, end users will be prompted for credentials with a Windows security pop up prior to connecting to the remote host.  

  • User experience in Pre 8.2R1 and 8.1R7 releases.  The TS session is established and users enter their credentials and authenticate via WinLogon at the remote host desktop.
User-added image
  • User experience post 8.2R1 and 8.1R7 releases.  End user is prompted for credentials with a Windows security pop up prior to establishing the connection to the remote host.  The credentials are then passed to the remote host bypassing WinLogon and the user is logged on to the remote host desktop.  
User-added image


Resolution to disable NLA with Pulse Secure Terminal Services:

In 8.1R10, an option called Disable NLA was added to revert the native PCS Terminal Services client and behavior.   To disable NLA through the Administrator Web UI, perform the following steps:

  1. Navigate to Users > User Roles > [ROLE_NAME] > Terminal Services > Sessions > [SESSION_NAME]
  2. Select Disable NLA

User-added image

To allow an end user to define their own Terminal Services sessions with NLA disabled in the Admin Web UI go to Users > User Roles > [ROLE_NAME] > Terminal Services > Options and select "User can add sessions" in addition to "User can disable NLA".

User-added image

The end user will then be able to login to the PCS and create Terminal Services session with the option to disable NLA.

User-added image

If you want to continue with NLA enabled, the following solutions can be applied.


For Use Case #1:

This security warning is generated because the remote host is using a certificate that is self-signed or is not signed by a trusted certificate authority (CA).  If this is the case, the remote host is potentially vulnerable to man-in-the-middle (MITM) attacks.  To resolve this issue, we recommend the following:
  • Install a certificate on the remote host that is signed by a trusted CA.
  • If a self-signed certificate is used on the remote host, use a group policy to install this certificate in the client's Trusted CA certificate store.

 

For Use Case #2:

Pulse Secure WTS has been re-architectured to leverage the security benefits that NLA provides and aligns Pulse Secure's product with Microsoft's recommended practices.  For any other use cases not covered by the changes outlined in this article, please contact Pulse Secure technical support for further assistance.

Refer to the following links for more information on NLA and its benefits:

https://msdn.microsoft.com/en-us/library/cc505913.aspx
https://technet.microsoft.com/en-in/library/cc742818.aspx


Workaround:

To avoid the Windows Security pop up in Use Case #2, configure SSO (single sign-on) in the Terminal Services Resource Profile or in the bookmark settings on the role.

From the admin console: 
  1. Navigate to Users > [User Role] > Terminal Services > Sessions or Resource Profiles Terminal Services Resource Profiles.
  2. From the list, select the corresponding bookmark or resource profile.
  3. In the Session section, enter credential variables or values:
    • If PCS login and RDP session credentials are the same, enter <USER> in the Username field then select Variable Password enter <PASSWORD> in the variable password field. 
    • If PCS login and RDP session credentials are different, enter the actual username and domain values in DOMAIN/USERNAME format (i.e. ACMEGIZMO/test) and manually enter password in password field.
User-added image

For user created bookmarks:
  1. Login to PCS device
  2. From the landing page, click on the Item Properties icon for the TS bookmark.
User-added image
  1. Under Session section, enter the username and password for the RDP session.
User-added image
  1. Click Save Changes.
Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255