Reset Search
 

 

Article

KB40405 - Certificate based authentication or restriction are failing with Pulse Secure Desktop client 5.2R5 to 5.2R7 if EKU (Enhanced Key Usage) of ClientAuthentication is not present.

« Go Back

Information

 
Last Modified Date3/16/2017 9:28 PM
Synopsis
This article describes an issue where certificate based authentication or restriction are failing with Pulse Secure Desktop 5.2R5 to 5.2R7 if EKU (Enhanced Key Usage) of ClientAuthentication is not present in the certificate.


 
Problem or Goal
After upgrading the Pulse Secure Desktop client 5.2R5 to 5.2R7, certificate based authentication or restriction are failing with the following error message:

Certificate Authentication scenario:
Error 1332 "Missing or invalid certificate"

Certificate Restrictions scenario:
Error 1329 "You are not allowed to sign in., long: Contact your network administrator."


In the Pulse client debug logs, following messages will be logged:
 
jcSelectionRule.cpp:345 - 'JamCertLib' Certificate XXXXX does not meet the required 
'has EKU:ClientAuth' condition, skipping it (rank 0)
jamCert.cpp:405 - 'JamCertLib' No client certificate satisfied the minimal requirements.
JNPRClient.cpp:3987 - 'eapService' No valid client certificate found.
channelProviderImplEap.cpp:410 - 'iftProvider' EAP Authentication FAILED: Error: 1332 
0x534 State: 3 0x3
Cause
This issue occurs due to changes introduced in Pulse Secure Desktop client version 5.2R5 to support automatic certificate selection. The change made during 5.2R5 for "AUTO" selection logic broke the legacy behavior due to which the certificate authentication is failing when EKU field is missing.


Affected versions:

Pulse Secure Desktop client version 5.2R5 to 5.2R7
Solution
To root cause this issue, clarify if the EKU is present in the client certificate. Open the certificate and navigate to Details > Extensions Only. Check if Enhanced Key Usage contains Client Authentication OID as shown in below screenshot:
User-added image

This issue will be resolved in Pulse Secure Desktop client version 5.2R8 (tentative for Q2 2017). The change was to rank all certificates as the same regardless if the EKU exists or not.  KB will be updated once release dates are available.

Workaround:

  • Use User certificate which has Enhanced Key Usage (with Client Authentication) extension.
  • Force the Pulse client to use "AUTO" rule. To do this manually edit the Pulse client’s “connstore.dat” file on the endpoint machine and add the following line to the appropriate connection: 
client-certificate-selection-rule: “AUTO”

For more information regarding using "AUTO" rule, please refer page 10 in the below 5.2R5 Release Notes:
https://www.pulsesecure.net/download/techpubs/current/791/pulse-client/pulse-secure-client-desktop/5.2rx/ps-pulse-5.2r5-releasenotes.pdf   
Related Links
Attachment 1 
Created ByKshitij Gupta

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255