This article explains why “invalid signature” messages are displayed in the Junos Pulse debug logs for Pulse dll files and how the issue can be addressed.
While installing the Junos Pulse for UAC dot1x Layer 2 connection and Layer 3 connection on some clients running Windows OS, an Invalid Signature error is displayed in the Junos Pulse debug logs.
00239,09 2013/08/11 13:48:35.562 1 SYSTEM dsAccessService.exe dsAccessService p1524 t3E8 accessPluginLoader.cpp:113 - 'AccessService' plugin C:\Program Files\Common Files\Juniper Networks\8021xAccessMethod\8021xAccessMethod.dll, invalid signature 00239,09 2013/08/11 13:48:35.578 1 SYSTEM dsAccessService.exe dsAccessService p1524 t3E8 accessPluginLoader.cpp:113 - 'AccessService' plugin C:\Program Files\Common Files\Juniper Networks\Integration\IntegrationAccessMethod.dll, invalid signature
What generates this message and how can it be avoided?
Junos Pulse software library files (.dll files) are signed by Juniper Networks, whereas the Juniper Networks Certificate is issued by VeriSign Class 3 Code Signing CA.
The error is due to the Root Certificate Authority Certificate missing from the local computer certificate store of the Windows machine where Junos Pulse is installed.
Perform the following checks:
1. Ensure all the latest Windows updates and patch levels have been applied to the computer; Microsoft periodically updates Root CA’s, Sub CA’s in the windows machine certificate store. Not applying Windows updates and patches is also a security risk.
2. Confirm the VeriSign Class 3 Code Signing CA is installed. This will allow the Junos Pulse signature verification to pass successfully.
Alternatively, you can also download VeriSign root CA from:
http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem
3. After the Root CA installation is confirmed, re-run Junos Pulse. Below is a sample of a Junos Pulse debug log where the Pulse dlls are verified successfully.
00245,09 2013/08/26 12:25:17.842 4 SYSTEM dsAccessService.exe dsAccessService p4060 tE68 verify.cpp:213 - 'dsVerifySignature' C:\Program Files\Common Files\Juniper Networks\Integration\IntegrationAccessMethod.dll signed by Juniper Networks and verified 00157,09 2013/08/26 12:25:17.842 4 SYSTEM dsAccessService.exe dsAccessService p4060 tE68 verify.cpp:230 - 'dsVerifySignature' verifySignature complete with result 1 00244,09 2013/08/26 12:25:17.967 5 SYSTEM dsAccessService.exe dsAccessService p4060 tE68 accessPluginLoader.cpp:111 - 'AccessService' plugin C:\Program Files\Common Files\Juniper Networks\8021xAccessMethod\8021xAccessMethod.dll, verifying signature... 00227,09 2013/08/26 12:25:17.967 4 SYSTEM dsAccessService.exe dsAccessService p4060 tE68 verify.cpp:46 - 'dsVerifySignature' verifying signature on C:\Program Files\Common Files\Juniper Networks\8021xAccessMethod\8021xAccessMethod.dll 00245,09 2013/08/26 12:25:17.983 4 SYSTEM dsAccessService.exe dsAccessService p4060 tE68 verify.cpp:213 - 'dsVerifySignature' C:\Program Files\Common Files\Juniper Networks\8021xAccessMethod\8021xAccessMethod.dll signed by Juniper Networks and verified 00157,09 2013/08/26 12:25:17.983 4 SYSTEM dsAccessService.exe dsAccessService p4060 tE68 verify.cpp:230 - 'dsVerifySignature' verifySignature complete with result 1
NOTE: For assistance with identifying the certificates installed on your system or the Windows update and patch levels please contact your local IT resources.