I'm wondering what the best way to authenticate users who work from domain joined computers when off network. This would be someone like a laptop user or a use who I would set to permanently work from home and want them on the domain. This is an Active Directory (2008 R2) environment with Windows 7 on the desktop.
Preferrably, I want these users to have an active VPN connection during login so that they can be authenticated against a domain controller and not used cached credentials (just like it would work if they were in an on network office)
Do I need to use one of the Pulse connection profiles settings that uses machine authentication to establish a connection or can I use the "automatically at user login" option.
Documentation says the following for Pulse connection profiles automatically at user login option:
Enables Pulse client interaction with the credential provider software on the endpoint. The user credentials are used to establish the authenticated Pulse connection to the network, log in to the endpoint, and log in to the domain server.
Does this option cause Pulse to fully connection before the login is attempted to the computer? It seems worded in a way that implies that it does. If it does, why would I want to use this vs. a machine authentication option or vice-versa.
Lastly, is the option in User Role/VPN Tunneling/Options for Launch client during Windows Interactive User Logon (This option allows client to be started when users log into Windows) identical to setting the Pulse connection profile to "Automatically at user login" ? If so, and I want to use this option, is it better to set it in the connection profile or user role?
automatically at user login is the credential provider option where user can establish the tunnel at user login with cached domain credentials.
KB25604 is under modification, windows 2008r2 is supported from 8.0 onwards.
Launch client during Windows Interactive User Logon is the credential provider option for network connect and is not related to Pulse.
Pulse should throw and error and SSO to windows will fail.
I guess if user types in cached credential in their windows login prompt, they can log into windows.
Need to test in lab but this is the expected behavior.
Digging through the admin guide, I find the following pieces:
Pulse supports the following credential provider types:
And the following which explains the provider (this is under the VPN Tunneling and not Pulse section, so it seems to bet alking about Network Connect but I assume the credential provider itself is the same for Pulse as well)
There are two basic types of credential providers: standard authentication and Pre-Logon
Access Providers (PLAP). Standard authentication includes password-based or
certificate-based credentials. A PLAP is a special type of credential provider that allows
users to make a network connection before logging in to their system.
The VPN tunneling credential provider is a PLAP provider.
The admin guide indicates to me that credential provider login takes a username/password specified at login and passes that to Pulse to connect to the VPN. Once the VPN is connected, it will then use the same credentials previously entered for SSO to Windows. Ultimately, this reads to me that with credential provider login, Pulse connects first, and not until Pulse is connected will the Windows login occur, being authenticated against an AD DC.
What is still not clear to me is what happens if Pulse fails to connect. Will the windows login occur with pre-existing cached windows credentials (assuming cached login is allowed) or will it simply never let the user login? This doesn't seem to be mentioned anywhere (admin guide or KB)