cancel
Showing results for 
Search instead for 
Did you mean: 

Problem authenticating to DC from Windowns 10 Pulse Secure Client

New Contributor

Problem authenticating to DC from Windowns 10 Pulse Secure Client

I've been troubleshooting a connectivity problem that so far Pulse TAC hasn't been able to figure out. We're evaluating Pulse Secure for a possible deployment, so I'm hoping someone might have an idea.

Here's what's happening: My Windows 10 laptop is our standard corporate build. The default login is our corporate domain and username, and the laptop connects and authenticates fine on the corporate network. When the laptop is connected to a cable modem and thus the Internet, we have it set up to also log in with the same domain credentials, and to launch the PCS client before the login is complete, in always-on mode. Here's the problem: The client is sending the username to the concentrator as domain\username, and our DC is rejecting that as an invalid user account. But, if we cancel and then try to reconnect manually with the client using just the username, it connects just fine. I've run lots of policy trace logs on the appliance and the issue is the username. I'm wondering if there's some way to strip the domain from the username using a filter on the appliance, or to change it on the client side.

Client version: 5.2.2 (343)
Appliance: 8.2R2 (build 44173)
7 REPLIES 7
Contributor

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

What authentication type did you configure for AD authentication on the PSA, LDAP or AD?
New Contributor

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

The symptoms I'm seeing are with an LDAP server set up to talk to our DC.

Today I tried setting up a new authentication server of type AD, which yielded different results. In this case, domain\userid appeared to authenticate (based on the policy trace) however the session didn't get set up and the laptop sat at the login screen for 30 minutes until the screen saver came on.
Highlighted
Contributor

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

So authentication is failing because with LDAP it will use samaccountname value by default and domain/username won't match that value. You can change your USER attribute in the LDAP configuration to use userPrincipalName and logon to your PC with username@domain.

It sounds like you have AD auth working now but have come to another issue. Does it map the user to a role and assign an ip address, etc..?
Moderator

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

How are you logging in: username/password (supported by both LDAP & AD) or user@domain.tld (only supported with LDAP)?
utilizing the username definition as username=userPrincipleName should work, as mentioned earlier by Filbert; FWIW, I have tested this scenario successfully in the lab (UPN login + credential provider)
New Contributor

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

The Pulse client is sending the down-level logon name from the laptop, which is domain\userid. As a test, I'm using the Windows ldp.exe utility to test LDAP queries against my DC, and I'm seeing that the down-level logon name cannot be found on the DC, but the userid without the domain resolves properly. This replicates the behavior that I'm seeing with the LDAP client on my Pulse appliance, which is what I expected.

-----------
***Searching...
ldap_search_s(ld, "dc=Bank,dc=internal", 2, "(samaccountname=ADDOMAIN\cgiuffre)", attrList, 0, &msg)
Getting 0 entries:
-----------
***Searching...
ldap_search_s(ld, "dc=Bank,dc=internal", 2, "(samaccountname=cgiuffre)", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=Giuffre\, Craig,OU=Info-Security,OU=Users,OU=AB HQ,DC=Bank,DC=internal
objectClass (4): top; person; organizationalPerson; user;

I guess my original question can be distilled down to this: Is there any way to configure the Pulse client on the laptop to strip the domain name from the username that it sends to the appliance? The laptop is a corporate build that is used in the office, hence the domain logon. Since we desire an always-on VPN, the Pulse client is configured to bring up the VPN after the user logs on to the laptop but before the logon completes. After 90 seconds the VPN fails to get established and the Windows desktop loads, and the Pulse client prompts again for credentials. When the user types the username and password into the Pulse dialog, it's smooth sailing after that.
Moderator

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

Thank you for the reply.
I think I know what the problem is; unfortunately, I am not sure how to fix it (or if it can be fixed). In addition to the test you did with ldp.exe, can you confirm that when you login to Pulse or the web UI as domain\username that the same failure happens?
Is your username configured as username= or user=?
New Contributor

Re: Problem authenticating to DC from Windowns 10 Pulse Secure Client

We are facing the exact same issue!
Was there a resolution found for this issue?

When using userprincipalname it also fails at our side as the username is prepended with a backslash which also results in user not found/authentication failure.

It seems for UAC it is solved; there is an option in the LDAP authentication server settings to "Remove Domain from Windows users names? (Applicable to UAC only)". But this setting is not present for PCS.

We are running PCS 8.3R2.1 (build 58581)

Regards,

Marco