Reset Search
 

 

Article

KB40184 - Machine Authentication via machine credentials failure on Windows 8 and 10, but works with Windows 7

« Go Back

Information

 
Last Modified Date4/21/2016 2:02 PM
Synopsis
Windows server requirements for machine-authentication on Windows 8 and Windows 10 platforms.
Problem or Goal
When using Machine auth, machine credentials can be used to connect to the Pulse server when the endpoint is started before a user logs in. When a user logs in, the machine authentication connection is dropped, and the user login is used instead. You can either use machine auth by means of certificate auth or use the computer accounts present in Active Directory (AD).

If you are using AD as an authentication method for the machine-auth realm, you may encounter a problem when users attempt to login from devices running Windows 8 or 10.  
Cause
This issue occurs due to Microsoft increased security for machine authentication.

To accomplish machine authentication, Pulse uses Local Security Authority (LSA) secret $Machine.acc within Windows to authenticate users against Active Directory.  An encrypted result is returned when the secret $Machine.acc is queried in Windows 8 and in Windows 10, which prevents it from being read and causes authentication to fail.  According to Microsoft, this is by design to improve the security of the secret account.
Solution
Pulse Secure recommends to change the configuration of the server and client to use machine authentication via certificate instead of machine credential method.

If this is not desired (for example, a large percentage of the user base is using Windows 7 versus Windows 8 / Windows 10), an alternative solution is to follow the Microsoft KB

Note:  This does decrease security of the endpoint, such that it does not encrypt the LSA responses.  Please take careful consideration before modifying the registry.

The recommended configuration is preferred because it will provide the same level of security and the same end user experience as previously provided, and will not use the deprecated security access methods on the client.

Preferred Solution:

When doing Machine Authentication via certificate, the endpoint should be set up to authenticate using a realm that uses a certificate authentication server, instead of authenticating against an AD server. User Authentication can still take place via a realm that uses AD. 

In the Pulse configuration, the default realm for machine authentication and user authentication can be set so that the endpoint uses the appropriate realms without prompting the end user.

Setting up the machine auth realm - note, this only describes setting up the machine portion.  Please refer to the Admin Guide for complete options on setting up machine auth with and without user-auth.
  1. Click Users > Pulse Secure > Connections and create or select a connection set.
 User-added image
  1. Create or edit a connection. For the connection type, select Connect Secure or Policy Secure (L3) for a Layer 3 connection.  (unless you are using a PPS and want to use L2 VPN tunnels).    
                                                                                                                 
  User-added image
  1. Under Connection is established, for the mode select "Machine", or "Machine or User". Machine credentials are used to connect to the Pulse server when the endpoint is started, before a user logs in. The connection is maintained when a users logs in, logs out, or switches to a different login.
User-added image
  1. Select the Connect automatically check box.
  2. Specify Realm and Role Preferences to suppress realm or role selection dialogs during the login process: 
  • Preferred Machine Realm—Specify the realm for this connection. The connection ignores any other realm that is available for the specific login credentials.  Remember to select the realm that you have set up to use only certificate authentication. 
  • Preferred Machine Role Set—Specify the preferred role or the name of the rule for the role set to be used for user authentication. The role or rule name must be a member of the preferred machine realm

From this point, you can also set up a realm and role for the user.  Please see the current Pulse administrator's guide for details and options. https://www.pulsesecure.net/techpubs/pulse-client/pulse-secure-client-desktop
 
Related Links
For details of how to create a certificate authentication server and assign it to the realm, see the relevant version of PCS or PPS administrator's guide here.
Attachment 1 
Created ByTravis Bradbury

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255