KB22040 - PulseSetupClient fails to launch successfully and causes client applications to fail due to WinVerifyTrust failures

Users are unable to launch PPS/Pulse Secure Access client software such as Pulse Secure Desktop, Host Checker, Network Connect, Windows Secure Application Manager (WSAM), Terminal Services, etc. In the debuglog.log, the failure occurs due to a WinVerifyTrust failure. This article describes two scenarios to fix the issue.

When users attempt to connect, the application looks like it is trying to launch but fails. There is little or no external notification that there is a problem; other than failing to launch.  Users will see the Please Wait... screen for the application launch and may even see the executable attempting to launch; but nothing more is observed. When looking at the client-side logs, the following sequence is observed (edited for clarity and emphasis added for the keywords to check against):

2011/10/04 11:03:43.819 1 dsVerifyHelper.cpp:184 - 'DSVerifyHelper::verify()' Enter: C:\DOCUME~1\tester\LOCALS~1\Temp\PulseSecureSetupClientInstaller.exe dsVerifyHelper.cpp:184 - 'DSVerifyHelper::verify()' WinVerifyTrust() failed, 800B010A

2011/10/04 14:58:04.833 1 dp59 - 'DSVerifyHelper::verify()'  Enter: C:\Documents and Settings\tester\
Application Data\Pulse Secure\Setup Client\PulseSecureSetupDLL.dll dsVerifyHelper.cpp:184 -
'DSVerifyHelper::verify()' WinVerifyTrust() failed, 800B010A

WinVerifyTrust is designed to validate digital signatures of certains files are properly signed and trusted.  Depending on the return code, WinVerifyTrust can fail for multiple reasons.

Scenario 1:  Return code 800B010A

If the error code is 800B010A, this is due to a missing or untrusted root certificate.  Currently, all Pulse Secure components are signed by a VeriSign code signing certificate.  Please ensure the following certificate is installed on the problematic machine in the Trusted Root Certificate Authorities store.

VeriSign Class 3 Public Primary Certification Authority - G5

OR

To verify or install the certificate, perform the following steps:

1. Click Start > Run.
2. Enter mmc.
3. From the console window, select File > Add/Remove Snap-Ins.
4. From the list, select Certificates.
5. Click Add.
6. Select the radio button for My User Account.
7. Click Finish > OK.
8. From the left pane, click Certificate - Current User > Trusted Root Certificate Authorities > Certificates.
9. From the list, confirm that "VeriSign Class 3 Public Primary Certificate Authority - G5" exists (expires 7/16/2036).

If this is missing, use the above link to download the certificate.  Once downloaded, perform the following steps:

1. From the left pane, right-click Certificates folder > All Tasks > Import.  
2. Certificate wizard will appear and click Next.
3. Click Browse and browse to the downloaded file.
4. Click Open > Next.
5. Select the radio button for Place all certificate in the following store.
6. Click Browse > Trusted Root Certification Authorities.
7. Click Next > Finish.

Scenario 2:  Other return codes

To further debug WinTrustVerify issues, navigate to the problematic file listed in the debuglog.log and perform the following steps:

1. Right-click the file and click Properties.
2. Select the Digital Signatures tab.
3. From the list, select Pulse Secure.
4. Click Details.
5. From the general tab, it will provide additional information why certificate validation is failing.