All Topics » Pulse Connect Secure



Certificate Authentification not workin


alexeh
Contributor (0)
Aug 29, 2017 7:26am
Hello,


iam currently trying to implement certificate authentification on a PulseSecure 8.3R1 (build 55339) Test Server.
I've imported the selfsigned certificate to the truste client CAs. The certificate has been created on a test WinServer 2008 PKI and the cert got enrolled to the clients by GPO (meanwhile I also imported it manually about 100 times).
I've also set up a host-checker rule to check for this CA, suprisingly this is working.
But after the host-checker validation on my test-client it just shows "Missing vertificate. Check that your certificate is valid and up-to-date, and try again." even it should be checking for the same cert.
I've set the AD/PKI-Server as Auth Server (while using it as LDAP-Login, this is working so the connection is fine) and defined it as authentication method on the user realm. The user realm is restricted to "Only allow users with a client-side certificate signed by Trusted Client CAs to sign in" (iam not checking for cn,dn attributes or else yet).
My PKI issued a certificate to my client.



alexeh
Contributor (0)
Aug 29, 2017 9:44am
Nice, now i've locked myself out of the admin-console due to host-checker and the missing certificate....crap
    alexeh
    Contributor (0)
    Aug 29, 2017 9:59am
    Recovered a snapshot.
    Followed this tutorials but still have the same problem:
    http://www.configrouter.com/junos-pulse-certificate-check-restriction-authentication-mobile-devices-364/
    https://forums.pulsesecure.net/topic/pulse-connect-secure/17070-authenticate-users-with-their-certificate-only (list at the end)
Olivn
Contributor (1)
Sep 1, 2017 9:09pm
But after the host-checker validation on my test-client it just shows "Missing vertificate. Check that your certificate is valid and up-to-date, and try again." even it should be checking for the same cert.
Make sure that the certificate installed is a "client certificate". HC don't care about the certificate extended key usage but to connect to PCS you need a "TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
" certificate.
zanyterp
Pulse Secure Contributor (40)
Sep 8, 2017 1:35pm
Is the certificate you installed to the trusted client CA the CA that signed the certificate installed to users OR is it a client certificate for the PCS? If the latter, that should be happening. If the former, can you confirm that when you look at the installed personal certificates in IE that it is present?

Is the GPO-based installation for *machine* (Host Checker only) or *user* (browser & Pulse)?