Reset Search
 

 

Article

KB44781 - Multiple functionalities/features fail for End-Users with a Certificate error.

« Go Back

Information

 
Last Modified Date5/5/2021 10:05 PM
Synopsis
This article describes a situation where Multiple functionalities/features fail for End-Users with a Certificate error.   
NOTE:  If upgrading your PCS appliance from a prior version to 
9.1R8 your web based clients will be impacted by this issue.  Remediation steps are highlighted below.  
(Last Update on 5/5/2021 01:28 PM PST).
Problem or Goal
Multiple functionalities/features fail for End-Users with a Certificate error.
This issue started on the 12th of April, 2021 after 12:00 am UTC time as the validity of the code signing certificate expired.
  1. This impacts PCS/PPS.
  2. This impacts the following releases,
  • 9.1R11, 9.1R11.1
  • 9.1R10
  • 9.1R9, 9.1R9.1
  • 9.1R8, 9.1R8.1, 9.1R8.2
       3. This impacts only Windows End-Points.
       4. The following features are impacted:
  • Terminal Services.
  • JSAM
  • HOB
  • CTS
  • VDI
  • Secure Meeting (Pulse Collaboration).
  • Host Checker.
  • Launching of PDC via browser.
  • SAML with External Browser with HC enabled.
This issue does not impact,
  • Users who access Pulse Desktop Client directly (Not Via a Browser).
  • macOS, Linux Users.
  • Release prior to 9.1R8.x
Cause
The Code sign verification on the Client-Side components fails because the Certificate expiry time is checked instead of the timestamp of the Code signing.
Solution
The following are the release timelines for the fixes,
 
ProductReleaseETADownload LinkKnown Issues
PCSPulse Connect Secure-9.1R11.3 Software (Build 12173)ReleasedDownloadPDC fails to prompt for upgrade. Solution

 
PCSPulse Connect Secure 9.1R8.4 Software (Build 12177)ReleasedDownload1. PDC fails to prompt for upgrade. Solution
2. The PSAL installation prompts for admin credentials on windows 8.1 for Local
user.
PCSPulse Connect Secure-9.1R9.2 Software (Build 12181)ReleasedDownload1. PDC fails to prompt for upgrade. Solution
2. The PSAL installation prompts for admin credentials on windows 8.1 for Local
user.
PCSPulse Connect Secure-9.1R10.2 Software (Build 12179)ReleasedDownload1. PDC fails to prompt for upgrade. Solution
2. The PSAL installation prompts for admin credentials on windows 8.1 for Local
user.
Note:
  1. Pulse Desktop versions viz., 9.1.8(8393), 9.1.9(8395), 9.1.10(8401), 9.1.11(8389) shipped/bundled with the PCS fixes per the table above do not have any new code fixes/improvements. Therefore, there is no need to use them.
  2. If you do use them, please note that, Auto upgrade of Pulse Desktop Clients from 9.1.8 (8393), 9.1.9 (8395), 9.1.10  (8401) to 9.1.11 (8389) will fail. This is due to the lower build number - 9.1.11 (8389).
  3. To upgrade PDC, Run the manual/Uninstaller exe step, connect to PCS and launch the PDC via the browser.
  4. Recommendation/Workaround to overcome 2.
  • Use SCCM or any or any other third Party Software Management control system.
  • Manual Un-installation of impacted PDC before installing the newer PDC version 9.1.11 (8389).
Note - We will update PPS timelines as soon as it becomes available.

General Guidelines to install the fix :
  1. The solution would involve upgrading the PCS server as well as clearing the older Pulse Secure components on the End-User devices
Note - End-Users who do not have any Pulse Secure components already installed, can skip Step # 2.

       2. The End User devices that have Pulse Secure components already installed would need to follow one of the two methods outlined below:
  • Run the Uninstall Pulse Components Executable
 ExecutableFixHashesGuidelines
For non-IE UsersPortal Download Link:
Uninstaller.exe
(Under release download page)
Direct Download Link:
Uninstaller.exe
This ensures that Host Checker Process is stopped before uninstalling it.MD5 Signature: c21351499944ad54efbc370510e414f8
SHA2 Signature: 57284f5dd349c6c719f90de0e6b8ddb10894c6d84dc7a3471f72fec2d2620205
End-users do not require admin privileges to run this Uninstall Pulse Components Executable.
For IE Users (Applicable to all browsers)Portal Download Link: Uninstaller-forIE.exe (Under release download page)
Direct Download Link:
Uninstaller-forIE.exe
This will remove all the legacy traces of ActiveXMD5 Signature: c0c7b3be7e01ccf64cc1aba231c973a5
SHA2 Signature: d14100452e6f08fb302fcd16bae8e3b8c83327daf1c2798765b80771b0f10a65
  1. This tool should be run in the affected user login context.
  2. Close Internet Explorer browser instances.
  3. If there are Internet explorer process running in the background, kill them via task manager.
  4. Run uninstaller & enter your Admin credentials if prompted.
Note:- Do not use Run as Administrator option

Troubleshooting -
If users still have issue, please collect PulseSecure_KB44781.log from \Users\<Username>\AppData\Roaming and open a support case.
 

To manually remove PSAL and Setup Client components perform the following,

           
a. Navigate to Control Panel -> Programs and Features
b  Select “Pulse Application Launcher
c. Right Click and Uninstall.
d. Select “Pulse Secure Setup Client
e. Right Click and Uninstall.
f.  Select “Pulse Citrix Services Client
g. Right Click and Uninstall.
h. Select “Pulse Terminal Services Client
i.  Right Click and Uninstall.
j.  Select “Pulse Secure Host checker"
k. Right Click and Uninstall.
l. 
Select "Pulse Secure Setup client 64-bit Activex control"
m.Right Click and Uninstall. Enter Admin credentials if prompted
n. Select "Pulse Secure Setup client Activex Control"
o. Right Click and Uninstall. Enter Admin credentials if prompted.

       3.  Once, Step # 2 is completed, the End-Users should be able to successfully connect to the new PCS version.

Fixed Issue # 1:

Users may see "Windows Defender SmartScreen" pop-up during the installation of Pulse Secure components.

User-added image

Microsoft smart screen that runs with Windows Defender uses prevalence to trust the certificate used in signing the Pulse Binaries. This is the expected behavior according to our CA. And, with time, the end-users will stop receiving these notifications as the trust would be built.

We involved Microsoft to update the prevalence of our application and end users should no longer see these warnings,

Note: A similar behavior may be seen with some AV vendors as well. These warnings will stop with time.
 


Frequently Asked Questions :

1.    Why do we need to remove the client-side components before connecting to the new PCS server version? Is it because the Symantec code needs to be removed before the Digicert can be effective?

  • The already installed binaries are signed by Symantec.
  • It requires the same issuer name (CA) to replace existing binaries on the endpoints.
  • As Digicert has already acquired Symantec’s Website Security and PKI solution, we can no longer obtain a Symantec certificate as they have stopped all the servers/infra that is required to manage Symantec certificate.
  • Therefore, the client side pulse components need to be removed before you can successfully connect to the fixed PCS server versions.

2.    Can we use the same Pulse component uninstall executable for all the affected versions?
a.    Yes, we can use the same Pulse component uninstall executable for all the affected versions.

3.    Will the executable impact Pulse Installer service & the Pulse Desktop Client?
a.    No, the executable will not impact Pulse Installer service or the Pulse Desktop Client.

4.    Does this executable work on all Windows Operating systems?
a.    The executable works on Windows 8.1/10 (32/64-Bit).

5.    Do we have to upgrade the PCS server only after end-users clean up the pulse components?
a.    Both the activities can run independent of each other.

6.    What is the recommended software version?
a.    The recommended software version is PCS 9.1R11.4 SA44784 (Please review the Release Notes prior to upgrade).

7.    What actions should I undertake if I upgrade from PCS versions prior to 9.1R8 to 9.1R8.4/9.1R9.2/9.1R10.2/9.1R11.3/4?
a.    Although PCS versions prior to 9.1R8 do not have a functionality impact, the certificate used in them is Symantec.
       Therefore, you would need to perform the same set of actions that are applicable to the affected PCS versions.

Workaround:

  • Use Pulse Desktop Client (Do not launch it through the browser).
Related Links
Attachment 1 
Created ByRaghu Kumar

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255