cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Error "Certificate is untrusted and have to explicitly accept the certificate" on AnyConnect 3.1

2382
Views
0
Helpful
0
Comments

 

 

Problem

After upgrading AnyConnect package on AS from 3.0 to 3.1 getting error that the certificate is untrusted and have to accept the certificate when trying to automatically login to the website. Is it possible to disable the strict trust setting to avoid this error?

Resolution

It is strongly recommended that Strict Certificate Trust for the AnyConnect client is enabled for the following reasons:

 

•With the increase in targeted exploits, enabling Strict Certificate  Trust in the local policy helps prevent man in the middle attacks when  users are connecting from untrusted networks such as public-access  networks.

 

•Even if you use fully verifiable and trusted certificates, the  AnyConnect client, by default, allows end users to accept unverifiable  certificates. If your end users are subjected to a man-in-the-middle  attack, they may be prompted to accept a malicious certificate. To  remove this decision from your end users, enable Strict Certificate  Trust.

 

Refer to Enable Strict Certificate Trust in the AnyConnect Local Policy for more information.

 

 

Still it is possible to disable Strict Trust Setting by using the local policy editor.

 

AC.bmp

This can also be done manually.

 

The profile editor can be found as anyconnect-profileeditor-win-3.1.01065-k9.exe at Standalone Profile Editor package on Windows platforms.

 

Source:https://supportforums.cisco.com/thread/2179230?tstart=0