All Topics » Pulse Desktop Clients



Windows Repeatedly Prompts For Logons When On VPN


chi11er
Contributor (0)
Apr 27, 2017 6:44am
Hi,

I've spent time searching for a previous answer here and I can only assume its the keywords I'm using.

In our envrionment we are using a seperate credential set to build the VPN tunnel from the client.

Once connected, any domain connected device is prompting for a login.

Whilst our logs are pretty scant, it appears to be related to the PC trying to use the VPN Authentication Credentials to authenticate with any network device on the VPN network segment.

Once you authenticate with a server / service the session remembers the login used (till reboot)

In the Windows VPN world, this would be resolved with:

You'll need to locate your VPN connections .pbk file.
You can find it here:
C:Users{WindowsLogin}AppDataRoamingMicrosoftNetworkConnectionsPbk
Or if you have it set to allow all users to use the connection, you can find it here:
C:ProgramDataMicrosoftNetworkConnectionsPbk
Edit it with a text editor and find the line that says:
UseRasCredentials=1
Disable it by setting it to 0
UseRasCredentials=0

Please can anyone help me find where on earth I set this in the pulse side as noone I have spoken to seems to understand the client or server...

Many thanks in advance.




zanyterp
Pulse Secure Contributor (40)
Apr 27, 2017 4:44pm
What do you expect to see instead of the servers asking for authentication?
Are the users logging in with the same credential to the PC as to the backend services?
If you do not do machine auth/credential provider for Pulse, does the behavior occur?
    chi11er
    Contributor (0)
    Apr 27, 2017 6:25pm
    Hi,

    Thanks for responding - it's much appreciated.

    The user logs into a domain joined laptop with a domain account. This may be password or certificate based.

    When not using the vpn, Kerberos/ntlm and Sso works seamlessly.

    The VPN uses user certificate to authenticate (different credentials) and does not reference the active directory - instead it uses a seperate ldap database.

    As soon as you make the vpn connection the same server that seamlessly authenticated 30 seconds ago prompts for login.

    That could be SMB / RDP / IIS(using integrated authority) etc etc...

    I would expect the vpn to be seamless and the user to continue authenticating using their logged in domain credentials.

    I should add that this behavior is not happening on our windows 7 devices running the old juniper client.

    It's just on Win10 where we have:
    A) updated the agent
    B) created a new Config
    C) used the new agent

    Hence I'm assuming there is an option setting we have missed.

    Thanks in advance.

    zanyterp
    Pulse Secure Contributor (40)
    May 1, 2017 3:03pm
    Thank you for expanding on what you are seeing.
    If you use the old agent with old config, but on Win10, do you see the expected/desired behavior?
    If you use the old agent with the new config, but on Win10, what do you see?
    If you use the new agent with the old config, on Win10, what do you see?