Reset Search
 

 
Article

KB40052 - Pulse Credential Provider may fail when Pulse GUIDs are blocked by third-party security products.

Printable View
« Go Back

Information

 
Last Modified Date11/5/2016 5:54 AM
Synopsis
This article provides information needed by desktop or network administration teams to allow Pulse credential provider functionality with 3rd party security products.
Problem or Goal
Pulse Secure Pre-Logon connections which require Pulse Credential Provider may fail when Pulse GUIDs are blocked by third-party security products. These third party programs may wrap the existing Credential Providers that are installed. Some such programs that perform this functionality are Imprivata OneSign or McAfee Endpoint Encryption (SafeBoot); it is possible there are others that perform the same function.
Cause
This issue occurs due to some security programs may not allow the Pulse Secure credential provider by default, and must be manually added to a whitelist.  To add Pulse Secure to the whitelist, the credential provider GUID must be determined.
Solution
To resolve this issue, Pulse Secure credential provider (CP) GUID's must be added to the whitelist.  As the CP GUID's may change between versions, please refer to the Pulse Secure Desktop Client Client-Side Changes Guide to confirm the correct GUID string.

Pulse Secure provides four GUIDs for each credential provider option:
 
Credential Provider NameDescription
Pulse Secure SSO Password Credential Provider ClassThis is used for standard username & password authentication
Pulse Secure SSO Smartcard Credential Provider ClassThis is used for smart card authentication
Pulse Secure SSO OneX Smartcard Credential Provider ClassThis is used for 802.1x authentication with smart card ​
Pulse Secure SSO OneX Password Credential Provider ClassThis is used for 802.1x authentication with username & password

For example, the following GUID's (highlighted in RED) appear in the 5.2R3 Client-Side Changes document: 
[HKEY_CLASSES_ROOT\CLSID\{4B9CAC01-6732-40d0-8B8F-B5B340F9D44F}]
@="Pulse Secure SSO OneX Password Credential Provider Class"

[HKEY_CLASSES_ROOT\CLSID\{4EFD0F35-BFBA-44eb-8F25-2B3530203C1D}] 
@="Pulse Secure SSO Password Credential Provider Class"

[HKEY_CLASSES_ROOT\CLSID\{C1258FBC-F04F-4862-B78A-DDAAEF4A9707}] 
@="Pulse Secure SSO OneX Smartcard Credential Provider Class"

[HKEY_CLASSES_ROOT\CLSID\{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}] 
@="Pulse Secure SSO Smartcard Credential Provider Class"

DISCLAIMER:  McAfee does not directly support third party credential providers.  For more information about this limitation and how to file a enhancement request to add Pulse Secure GUID by default, please refer to the following McAfee KB article.  Pulse Secure support has found these instructions to work, but McAfee may change this behavior anytime in the future without notification.


For McAfee Endpoint Encryption or Drive encryption, all CP's are filtered out by default.  To allow a Pulse Secure CP, modify the DE/EEPC EpePcCp.ini file.  In this example, the added GUID is for Pulse Secure SSO Password Credential Provider. 
[CredentialProvider.Filter.Providers]
{4EFD0F35-BFBA-44eb-8F25-2B3530203C1D}=Enable

 

Related Links
Attachment 1 
Created ByNick Christen

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255