cancel
Showing results for 
Search instead for 
Did you mean: 

Dont understand Certificate Authentication - Do I need Host Checker ?

SOLVED
Highlighted
Occasional Contributor

Dont understand Certificate Authentication - Do I need Host Checker ?

I want my users to launch the client , I want the client to check for a cert, and if they have the cert I want them to be prompted to login with id/password. If they dont have the cert I want it to fail.

Is there a way to do this without Host Checker ? Without the client auto-logging them in at boot ?

Is hostchecker still a major hassle ? All I remember is that it constantly caused errors during auto-installation or upgrades.

11 REPLIES 11
Moderator

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

I want my users to launch the client , I want the client to check for a cert, and if they have the cert I want them to be prompted to login with id/password. If they dont have the cert I want it to fail.

Is there a way to do this without Host Checker ?
>>>Yes. You can set it up in one of two ways
The first way is to use a certificate restriction on the realm set to required; if they don't have the certificate, they don't see the login page.
The second way is to have the primary auth server on your realm as certificate and the secondary as your username/password provider.

Without the client auto-logging them in at boot ?
>>>Can you expand on this further? The client will always launch when the user logs in and, depending on your configuration, may attempt to authenticate immediately or will wait for the user to manually attempt the connection. It does not require credential provider.

Is hostchecker still a major hassle ? All I remember is that it constantly caused errors during auto-installation or upgrades.
>>>It depends on what you are doing. If you are doing custom checks there is typically minimal hassle; if you are using the OPSWAT-based checks, the risks are the same now as they were previously.
Occasional Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

Thanks for the response. It is much appreciated.

It is possible to setup and use this 2-factor auth setup using the Pulse Client ? It seems a little to me like you are describing the browser login.

There may be a couple of situations where I want the machine to auto-login to the VPN at boot and login, but for the most part I will have users login with cached credentials and manually initiate the connection. This is still possible, even with cert checking ?
Occasional Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

Just to add some more info... For some reason Pulse cannot dynamically recognize and authenticate certificates in the Windows 'Local Computer\Personal\Certificates' store. Without host checker it can only read from 'Certificates - Current User'

To me this seems backwards. Support asked me to export the machine cert and put it in the User Cert folder. That wont work because a.) the certs are non-exportable and b.) even if they were I cant do that for X thousands of people.

I could deploy user certs to everyone but that seems like a hassle. Also, if I setup autoenroll on user certs, am I going to get a new cert every time I log into a different machine ? In other words could each machine potentially have dozens of user certificates ? I guess I could deploy the same cert to everyone but that seems weak.

Help- Somebody, this hurts my head. Thanks,

Justin
Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

Pulse can check for machine certificates. You need to go into the Pulse Connection configuration and check the box "Select client certificate from machine certificate store". It's at the very bottom of the settings page under where you choose how you want Pulse to start.
Occasional Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

I appreciate the response. I did that and it still doesnt work for me. I want users to launch the client on demand, not when the computer starts. Not sure if that has anything to do with it. More sessions with support are upcoming, thanks,.
Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

Not sure then. We have several customers who auto provision domain machine certificates using Microsoft certificate services. Connection behavior for Pulse is the user manually starts the client as needed and the machine certificate authentication works fine with that machine store option chosen. Most are using the latest version of Pulse and 8.1 on the appliance.
Not applicable

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

the pulse desktop client needs to know that you have to use the local machine store.
the preconfig file contains:
connection-identity: "machine-only"

without this you will get "missing or not valid certificate"

i use the command:
msiexec -i pulse.msi CONFIGFILE="xx.jnprpreconfig" /qb
to deploy this on the windows client.
i noticed i had to deinstall pulse first.
Occasional Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

Here is the final word from support. In short, you can only do machine cert checking if you have the client login as a service, which I dont want to do. You can not do machine cert checking on demand. You can do user cert checking.

would like to inform you we have only two possibilites via PCS device.

Possibility 1:
- Enabling host checker based certificate restriction.
- To enable you to configure host checker policy on the PCS device.

Possibility 2:
- Pulse Secure client machine certificate authentication.
- User will be getting connected automatically once the machine boots up.
- However, you cannot connect via browser when certificate authentication enabled at realm level. It works only through Pulse Secure client.

Possibility 3: (Your actual requirement)
- Certificate restrictiion should be configured on the PCS device at realm or role level and the configuration should check the machine certificate store and connects the user.
- We can configure only user certificate authentication/restriction at realm or role level.

I would like to inform you that the third possibility is not achievable through PCS device. It is a new feature needs to implemented on the code level, so you need to go via sales channel to add the feature support.

Also I will invole the sales engineer Robin to create feature enhancement request.
Occasional Contributor

Re: Dont understand Certificate Authentication - Do I need Host Checker ?

This issue continues. I had a call with our SE who says this is possible with machine certs. She even put it in the lab and documented it. I followed the procedure perfectly but my laptop didnt work. Try it on my desktop and it works perfect. Going nuts trying to see the difference between the two. Why would pulse be able to see the cert and once machine and not the other ? The certs exist in all of the same places and the trusted roots and intermediaries are where they should be in both. The troubleshooting and debugging for this process is weak. If anyone has any ideas please let me know.

Thanks,
Justin