KB40184 - Machine Authentication via machine credentials failure on Windows 8 and 10, but works with Windows 7

Windows server requirements for machine-authentication on Windows 8 and Windows 10 platforms.

When using Machine auth, machine credentials can be used to connect to the Pulse server when the endpoint is started before a user logs in. When a user logs in, the machine authentication connection is dropped, and the user login is used instead. You can either use machine auth by means of certificate auth or use the computer accounts present in Active Directory (AD).

If you are using AD as an authentication method for the machine-auth realm, you may encounter a problem when users attempt to login from devices running Windows 8 or 10.  

This issue occurs due to Microsoft increased security for machine authentication.

To accomplish machine authentication, Pulse uses Local Security Authority (LSA) secret $Machine.acc within Windows to authenticate users against Active Directory.  An encrypted result is returned when the secret $Machine.acc is queried in Windows 8 and in Windows 10, which prevents it from being read and causes authentication to fail.  According to Microsoft, this is by design to improve the security of the secret account.

Pulse Secure recommends to change the configuration of the server and client to use machine authentication via certificate instead of the machine credential method.

If this is not desired (for example, a large percentage of the user base is using Windows 7 versus Windows 8 / Windows 10), an alternative solution is to do the following on the client systems.

    In the registry of the workstation please go to....
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    Create a new DWORD (32-bit) key called LsaAllowReturningUnencryptedSecrets
    Modify the new key and set the value to 1
    Click OK.

Note 1: The needed registry key can be added via a registry GPO.
Note 2:  Making this change does decrease security of the endpoint, such that it does not encrypt the LSA responses.  Please take careful consideration before modifying the registry.

The recommended configuration is preferred because it will provide the same level of security and the same end user experience as previously provided, and will not use the deprecated security access methods on the client.

Preferred Solution:

When doing Machine Authentication via certificate, the endpoint should be set up to authenticate using a realm that uses a certificate authentication server, instead of authenticating against an AD server. User Authentication can still take place via a realm that uses AD. 

In the Pulse configuration, the default realm for machine authentication and user authentication can be set so that the endpoint uses the appropriate realms without prompting the end user.

Setting up the machine auth realm - note, this only describes setting up the machine portion.  Please refer to the Admin Guide for complete options on setting up machine auth with and without user-auth.

1. Click Users > Pulse Secure > Connections and create or select a connection set.

2. Create or edit a connection. For the connection type, select Connect Secure or Policy Secure (L3) for a Layer 3 connection.  (unless you are using a PPS and want to use L2 VPN tunnels).    

                                                                                                                 

3. Under Connection is established, for the mode select "Machine", or "Machine or User". Machine credentials are used to connect to the Pulse server when the endpoint is started, before a user logs in. The connection is maintained when a users logs in, logs out, or switches to a different login.

4. Select the Connect automatically check box.
5. Specify Realm and Role Preferences to suppress realm or role selection dialogs during the login process: 

• Preferred Machine Realm—Specify the realm for this connection. The connection ignores any other realm that is available for the specific login credentials.  Remember to select the realm that you have set up to use only certificate authentication. 
• Preferred Machine Role Set—Specify the preferred role or the name of the rule for the role set to be used for user authentication. The role or rule name must be a member of the preferred machine realm

From this point, you can also set up a realm and role for the user.  Please see the current Pulse administrator's guide for details and options. https://www.pulsesecure.net/techpubs/pulse-client/pulse-secure-client-desktop
 

For details of how to create a certificate authentication server and assign it to the realm, see the relevant version of PCS or PPS administrator's guide here.