KB40602 - After disabling SMBv1, Pulse Connect Secure / Pulse Policy Secure device is unable to join the domain or end users are no longer able to authenticate

This article describes an issue where end users are no longer able to authentication to PCS  / PPS device after SMBv1 has been disabled.  This issue is applicable to PCS devices running 8.1R9 / 8.2R4 and below or PPS devices running 5.1R9 / 5.3R4 and below.

After disabling SMBv1, a new active directory authentication server will be unable to join the domain.  The following error message will occur in the event log:

2017-06-13 08:25:54 - ive - [127.0.0.1] System()[] - Active Directory authentication server 'AD': 
Samba error message: '...Failed to join domain: failed to find DC for domain XXX.XX.XXX.XXX ...'

For customer using Active Directory Legacy Mode, the following error message will occur after clicking the Test Connection option.

Either the server is not a domain controller of the domain or the Netbios name of the domain is 
different from the active directory (LDAP) name.

For existing customer which have already configured an Active Directory server, end users will face authentication issues and WINBIND will fail to join the domain.  The following entry will appear in a policy trace:
 

2017/05/14 06:54:59 - Winbind Authentication status -1073741730(NT_STATUS_NO_LOGON_SERVERS) 
for user XXXX

In a tcpdump taken from the internal port, the SMB negotiate protocol request will state NT LM 0.12.  
 

This issue occurs due to the recent Wannacrypt attacks utilizing a vulnerability in SMBv1. Many organizations are taking proactive steps to disable SMBv1.  For more information, refer to KB40620 - Host Checker configuration recommendations for Wannacrypt / Wannacry and other FAQs​.

This issue is applicable to the following versions:

• PCS 8.1R9 and below utilizing Active Directory authentication server
• PCS 8.2R4 and below utilizing Active Directory authentication server
• PPS 5.1R9 and below utilizing Active Directory authentication server
• PPS 5.3R4 and below utilizing Active Directory authentication server

Pulse Secure strongly recommends to migrate away from Active Directory Legacy Mode.  In the next major release of PCS / PPS, Legacy mode is planned to be deprecated.

To resolve this issue, upgrade to the following releases:

• 8.1R10 and above
• 8.2R5 and above

If Active Directory Legacy Mode is configured in 8.2RX and 8.1RX, migration to Active Directory mode is required to resolve this issue. For steps to complete the migration, please refer to KB40430 - How to switch an Active Directory authentication server instance from Legacy mode to Standard mode.


Q: Can SMBv1 be disabled in Active Directory Legacy Mode?
A: No.  The recommendation is to upgrade to a fixed release (stated above) and migrate to Active Directory mode.

Q: If an upgrade cannot performed immediately, is there any other potential workarounds?
A: Yes. Changing the authentication server to LDAP server can be used with an existing Active Directory environment as a workaround. 

SA40196 - [Pulse Secure] Badlock security advisory (CVE-2016-2118)​
KB40430 - How to switch an Active Directory authentication server instance from Legacy mode to Standard mode