Showing results for 
Search instead for 
Did you mean: 

certificate based machine authentication

Occasional Visitor

certificate based machine authentication

Good day,


we currently have a simple setup.

User logs in to theire desktop start the pulse client and manualy connect.

This works fine for users that work a day from home.

but it gives some issue's when users work from home all the time.

so we want a pre-login connection

in a test lab i enabled the pre-desktop login. wich works but it makes the login much slower.


A better solution would be to use the machine account.

best solution would be

1. computer boots and connect to the network

2. Pulse connect with a restricted connection to a read only domain controller

3. user login / get new groups / gets user gpo's

3. user account takes over the pulse connection and get full access.


however when i try to use a machine connection 

Info	AUT24327	2020-03-27 14:24:05 - ive - [**ip**] **domain**\computer1$(Machine)[] - Primary authentication failed for **domain**\computer1$/**domain**from **ip**
Info	AUT30923	2020-03-27 14:24:05 - ive - [**ip**] host/computer1.**domain**.local(Machine)[] - Active Directory authentication server '**domain**' : Received NTSTATUS code 'STATUS_WRONG_PASSWORD' .

the authentication service **domain** is Active directory

i also tried to use the device certificate (provided by our local certificate store) but i don't understand how i can add this as authentication service.

there is an option for certificates but as far as i understand it this is a local pulse hosted certificate store?


any help would be appriciated.

Kind regards



Re: certificate based machine authentication

Hi @koos147,


Machine tunnel using machine authtentication will not work in latest version of Windows due to encrypted LSAs which can be done using a registry hack (not recommended by MS).


If you have a machine certificate installed on the user computers, then all you need is to create an cert server auth instance on the VPN server by navigating to Authentication >> Auth servers >> Choose Certifcate server from the drop down >> Add >> Modify the parameters, if need >> Save changes.


Obtain a copy of the CA certificate and upload it under Configuration >> Certificates >> Trusted client CA.

PCS Expert
Pulse Connect Secure Certified Expert