Reset Search
 

 

Article

KB40667 - Pulse Secure Desktop client with credential provider enabled uses smart card as the logon method if a smart card reader is present

« Go Back

Information

 
Last Modified Date6/7/2017 3:46 PM
Synopsis
This article describes an issue where Pulse Secure Desktop client with credential provider will default to smart card logon when a smart card reader is present.  This may not be a desired result if end user would like to use username and password to authenticate to the Pulse Connect Secure device.
Problem or Goal
If a computer has a smart card reader and drivers installed but the user uses username and password credentials to log on to Windows, if Pulse is installed with credential provider enabled then Windows makes the smart card reader the default credential provider and users are unable to log on without a smart card.
Cause
This issue will occur will all conditions are met:
  • Windows machine with Pulse Secure Desktop client installed
  • Credential Provider is enabled 
  • Smart card reader is installed
If Pulse Secure Deskopt client is installed and credential provider authentication is enabled, the Pulse client will hide the standard Windows password and smart card login methods (credential providers) and wraps them with the Pulse password and smart card providers with different IDs (GUIDs) in order to intercept the user credentials and perform network authentication before the Windows log on. When Windows displays the login screen after Pulse is installed, it will choose the Pulse smart card as the default method over the password one.
Solution
If the Pulse smart card method will never be used it can be explicitly disabled/removed then Windows will display the Pulse password method as default, this can be achieved by deleting the registry key:
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\
{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}]
@="Pulse Secure SSO Smartcard Credential Provider"

In Windows 10 a Group Policy for ​"Assign a default credential provider"  (Computer Configuration > Policies > Administrative Templates > System > Logon > Exclude credential providers in policy editor) can be used to change the default provider as mentioned in a Microsoft Technet post, the relevant GUIDs are:
 

Pulse Secure smart card credential provider GUID:

{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}

Pulse Secure password credential provider GUID:

{4EFD0F35-BFBA-44eb-8F25-2B3530203C1D}
Related Links
Attachment 1 
Created ByMatthew Spiers

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255