Pulse Secure recommends to change the configuration of the server and client to use machine authentication via certificate instead of the machine credential method.
If this is not desired (for example, a large percentage of the user base is using Windows 7 versus Windows 8 / Windows 10), an alternative solution is to do the following on the client systems.
In the registry of the workstation please go to....
Create a new DWORD (32-bit) key called LsaAllowReturningUnencryptedSecrets
Modify the new key and set the value to 1
Click OK.Note 1:
The needed registry key can be added via a registry GPO.Note 2: Making this change does decrease security of the endpoint, such that it does not encrypt the LSA responses. Please take careful consideration before modifying the registry.
The recommended configuration is preferred because it will provide the same level of security and the same end user experience as previously provided, and will not use the deprecated security access methods on the client.
When doing Machine Authentication via certificate, the endpoint should be set up to authenticate using a realm that uses a certificate authentication server, instead of authenticating against an AD server. User Authentication can still take place via a realm that uses AD.
In the Pulse configuration, the default realm for machine authentication and user authentication can be set so that the endpoint uses the appropriate realms without prompting the end user.
Setting up the machine auth realm - note, this only describes setting up the machine portion. Please refer to the Admin Guide for complete options on setting up machine auth with and without user-auth.
- Click Users > Pulse Secure > Connections and create or select a connection set.
- Create or edit a connection. For the connection type, select Connect Secure or Policy Secure (L3) for a Layer 3 connection. (unless you are using a PPS and want to use L2 VPN tunnels).
- Under Connection is established, for the mode select "Machine", or "Machine or User". Machine credentials are used to connect to the Pulse server when the endpoint is started, before a user logs in. The connection is maintained when a users logs in, logs out, or switches to a different login.
- Select the Connect automatically check box.
- Specify Realm and Role Preferences to suppress realm or role selection dialogs during the login process:
- Preferred Machine Realm—Specify the realm for this connection. The connection ignores any other realm that is available for the specific login credentials. Remember to select the realm that you have set up to use only certificate authentication.
- Preferred Machine Role Set—Specify the preferred role or the name of the rule for the role set to be used for user authentication. The role or rule name must be a member of the preferred machine realm
From this point, you can also set up a realm and role for the user. Please see the current Pulse administrator's guide for details and options. https://www.pulsesecure.net/techpubs/pulse-client/pulse-secure-client-desktop