we currently have a simple setup.
User logs in to theire desktop start the pulse client and manualy connect.
This works fine for users that work a day from home.
but it gives some issue's when users work from home all the time.
so we want a pre-login connection
in a test lab i enabled the pre-desktop login. wich works but it makes the login much slower.
A better solution would be to use the machine account.
best solution would be
1. computer boots and connect to the network
2. Pulse connect with a restricted connection to a read only domain controller
3. user login / get new groups / gets user gpo's
3. user account takes over the pulse connection and get full access.
however when i try to use a machine connection
Info AUT24327 2020-03-27 14:24:05 - ive - [**ip**] **domain**\computer1$(Machine) - Primary authentication failed for **domain**\computer1$/**domain**from **ip** Info AUT30923 2020-03-27 14:24:05 - ive - [**ip**] host/computer1.**domain**.local(Machine) - Active Directory authentication server '**domain**' : Received NTSTATUS code 'STATUS_WRONG_PASSWORD' .
the authentication service **domain** is Active directory
i also tried to use the device certificate (provided by our local certificate store) but i don't understand how i can add this as authentication service.
there is an option for certificates but as far as i understand it this is a local pulse hosted certificate store?
any help would be appriciated.
Machine tunnel using machine authtentication will not work in latest version of Windows due to encrypted LSAs which can be done using a registry hack (not recommended by MS).
If you have a machine certificate installed on the user computers, then all you need is to create an cert server auth instance on the VPN server by navigating to Authentication >> Auth servers >> Choose Certifcate server from the drop down >> Add >> Modify the parameters, if need >> Save changes.
Obtain a copy of the CA certificate and upload it under Configuration >> Certificates >> Trusted client CA.