Reset Search
 

 

Article

KB44062 - Dynamic Trust: "Why is machine auth failing?" "Will the Pulse Client prompt me to trust the server certificate?"

« Go Back

Information

 
Last Modified Date3/13/2019 5:16 PM
Synopsis
Customer is using PPS and doing pure 802.1x layer 2 authentications and they also have dynamic-trust set to "true" on the Pulse Client and the client ultimately failed authentication.
 
Problem or Goal
Customer recently changed the server certificate and issuer and that new issuer certificate was not in the trusted server list of the preconfiguration file and ultimately client failed to perform the validation. 
Customer is wanting to know if this is normal because they believe, that due to dynamic trust, the new server should be ignored or it should have been a pop up asking them if they want to trust the new server.

 
Cause
The cause for this is the fact that the customer is doing machine authentication.  It is important to note that the Pulse Client behaves differently if it is authenticating pre-desktop/machine authentication vs. regular desktop authentication.  Machine authentication does not utilize dynamic trust, and will not prompt you or ignore validating the server certificate while regular desktop authentication will prompt you to trust a new server if it detects one.
Solution
The solution here is to include all of the new issuing certificate information in the preconfiguration Pulse client installer file, so that it has all the certificate information necessary to validate the server, because you cannot rely upon dynamic-trust to fix this for you with a prompt.
Related Links
Attachment 1 
Created ByMike Condon

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255