Reset Search
 

 

Article

KB43600 - After installing January 3, 2018 Microsoft Patches, Pulse client connections fail when Host Checker is applied

« Go Back

Information

 
Last Modified Date1/8/2018 8:12 PM
Synopsis
This article describes an issue where after installing Microsoft patches released with the Windows update on January 3, users are unable to launch a VPN tunnel using Pulse Desktop client when Host Checker is applied.

After installing the Microsoft patches from the Windows update released on January 3, KB4056892,KB4056891,KB4056890,KB4056888,KB4056893  on Windows 10 and KB4056898 on Windows 8.1, Pulse users are unable to launch a VPN tunnel using Pulse Desktop client when Host Checker is applied at realm or role level.

Microsoft patches that trigger the issue are listed below:
 
Windows 8.1 January 3, 2018—KB4056898
https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898
 
Windows 10 version 1709 January 3, 2018—KB4056892 (OS Build 16299.192)
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
Windows 10 version 1703January 3, 2018—KB4056891 (OS Build 15063.850)
https://support.microsoft.com/en-us/help/4056891/windows-10-update-kb4056891
Windows 10 version 1607January 3, 2018—KB4056890 (OS Build 14393.2007)
https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
Win10 1511 LTSBJanuary 3, 2018—KB4056888 (OS Build 10586.1356)
https://support.microsoft.com/en-us/help/4056888
 
Win10 1507 LTSBJanuary 3, 2018—KB4056893 (OS Build 10240.17738)
https://support.microsoft.com/en-us/help/4056893
 

Note: Windows 7 is not impacted as Microsoft patch KB4056897 does not have the known issue with the "CoInitializeSecurity" call.

Microsoft update details for Windows 7 SP1 is listed below:

Windows 7 - https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897
Problem or Goal
On Windows 10 clients with Microsoft Patch KB4056892,KB4056891,KB4056890,KB4056888,KB4056893 installed and Windows 8.1 with KB4056898 installed, Pulse Host Checker users experience the following issue:
  • When HC is applied at realm level, Pulse connection fails with following error:

Connection Error. Authentication rejected by server. (Error:1308)

User-added image
  • When HC is applied at role level, Pulse connection fails with following error:
Connection Error. You are not allowed to sign in. (Error:1329)
User-added image

After uninstalling the above-mentioned patches, the Pulse connection is established successfully with HC applied at the realm or role level.
 
Cause

This issue is caused by Microsoft Patches KB4056892,KB4056891,KB4056890,KB4056888,KB4056893 and KB4056898, as follows:  

Calling CoInitializeSecurity with the authentication parameter set to RPC_C_AUTHN_LEVEL_NONE resulted in the error STATUS_BAD_IMPERSONATION_LEVEL.Pulse Host Checker makes calls to the affected functions at runtime which results in the Pulse client failing to start the Host Checker plugin and produces the failure messages.  

The issue can be identified with the following string in the Pulse client-side debuglog.log: 

SYSTEM PulseSecureService.exe dsAccessService p0184 tCAC accessServiceApi.cpp:66 - 'AccessService' 
IRunningObjectTable::GetObject failed with code 0x80070005"

To verify this issue from the client-side Pulse logs:
  1. On the client PC, open the Pulse client and from the menu, select File > Logs > Log level and set to Detailed.
  2. Replicate the issue.
  3. From the Pulse client, save the Pulse logs by selecting File > Logs > Save As... and specifying a location.
  4. Extract the contents of LogsAndDiagnostics.zip then browse to the debuglog.log file from LogsAndDiagnostics\Logs\ProgramData.

 
Solution
The fix for this issue is in the following Pulse Secure Desktop client releases:
  • Pulse Secure Desktop Client-5.3R4.1 Software (Build 1183)
  • Pulse Secure Desktop Client-5.2R9.1 Software (Build 1161)

The above releases can be downloaded from Pulse Secure Licensing and Download Center.

The fix will be included in Pulse Secure Desktop Client-5.3R5 and above, 5.3R5 is tentatively scheduled for end of Q1 2018.

For details on downloading software, refer to KB40028 - [Customer Support Tools] How to download software / firmware for Pulse Secure products using the Licensing & Download Center at my.pulsesecure.net

In addition, Microsoft is planning to patch this issue within the Windows OS and will provide an update in an upcoming release.  For more details, refer to the Microsoft patches listed above.

Note : Once Microsoft release patch fix with an update, Pulse Secure Desktop Client with the fix will not be impacted.We suggest upgrading to the Pulse client fixed versions as we do not have an ETA on when Microsoft will release the patch fix.

Related Links
Attachment 1 
Created BySha Hussian

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255