Reset Search
 

 

Article

KB40183 - Domain name and user name is no longer pre-populated for terminal services sessions after upgrading to 8.1R8 and 8.2R1.1

« Go Back

Information

 
Last Modified Date10/21/2016 9:54 PM
Synopsis
On the Pulse Connect Secure (PCS) versions 8.1R6 and 8.2R1 and below, we didn't rely on <USER> attribute to pull the Domain value. The default domain for the remote desktop is automatically pre-poulated in the Pulse Secure Windows Terminal Services (WTS) client after remote desktop window is opened.

User-added image

In PCS versions 8.1R7+ and 8.2R1+, Pulse Secure WTS client utilizes the native Microsoft Remote Desktop Protocol (RDP) client. Microsoft RDP includes features and capabilities such as Network Level Authentication (NLA) which we can now be supported in conjunction with the PCS WTS client. The Microsoft RDP client will always prompt for the DOMAIN\USERNAME and PASSWORD before opening the remote desktop window. ​However, the default DOMAIN for the remote desktop is "not" automatically pre-populated using NLA with Microsoft RDP client integration. 

In 8.1R7 or 8.2R1, end users would see the following prompt which includes the username field pre-populated:

User-added image

In order to pre-populate the DOMAIN in the remote desktop, the following values can be configured in the Administrator Web UI under Users > User Roles > [ROLE_NAME] > Terminal Services > Sessions > [SESSION_NAME] 
  • Configure the Username value with the varibable <USER> attribute. This attribute equates to the DOMAIN and the USERNAME if Active Directory / Windows NT Authentication Server (Authentication > Auth. Servers) is use as the User Directory/Attribute Server in the Realm (Users > User Realms > [REALM_NAME] > General).
  • Configure the Username value with the static DOMAIN name and the varibable <USERNAME> attribute (Ex: ACMEGIZMO\<USERNAME>). The <USERNAME> variable equates to the USERNAME entered by the end user when logging in to the PCS. 
  • Configure the Username value with any other variable attribute which equates to end user's domain name in addition to the varibable <USERNAME> attribute (Ex: ACMEGIZMO\<USERNAME>).
After upgrading to 8.1R8 and 8.2R1.1, end users will notice the username field is no longer pre-populated with the DOMAIN\USERNAME for terminal service sessions even when the above options are implemented.

User-added image
Problem or Goal
End user will need to manually enter the DOMAIN\USERNAME in the username field to properly authenticate.  In some cases, end users may not know the domain name thus causing authentication to fail.
Cause
This issue was occurring because we were checking for both password and username instead of just username.
Solution
Pulse Secure resolved this issue in 8.1R9 and 8.2R3. 

If you are unable to upgrade to the fix at this time, the end user can manually enter the username with DOMAIN\USERNAME to properly authenticate the RDP session and workaround this issue.

In 8.1R10 we also added the option to "Disable NLA" and revert to the native PCS Terminal Services client and behavior. 

To disable NLA through the Administrator Web UI go to Users > User Roles > [ROLE_NAME] > Terminal Services > Sessions > [SESSION_NAME] and select "Disable NLA".

User-added image

To allow an end user to define their own Terminal Services sessions with NLA disabled in the Admin Web UI go to Users > User Roles > [ROLE_NAME] > Terminal Services > Options and select "User can add sessions" in addition to "User can disable NLA".

User-added image

The end user will then be able to login to the PCS and create Terminal Services session with the option to disable NLA.

User-added image
 
Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255