Anyconnect "Disable Automatic Certificate Selection" not working

heiki saaver · ‎02-06-2014

Hi. Can anyone explain to me what exactly is the "Disable Automatic Certificate Selection" supposed to achieve?

My theory is that upon connecting to a VPN gateway (ASA) I am given an option to select the certificate I would like to use for authenticating myself.

However this option seems to have no effect at all.

Anyconnect always selects the certificate on its own and tries authenticating with it automatically.

Lets say one user account has several user-certificates installed. The user cant select the desired certificate for authentication- some certificate is chosen randomly. Or maybe that user actually just wants to authenticate via computer-certificate.

I have disabled preference caching in AnyConnectLocalPolicy.xml (<RestrictPreferenceCaching>Thumbprints</RestrictPreferenceCaching>)

so none of the certificate thumbprints are cached in preferences.xml

The client profile pushed to anyconnect clients do have automatic cert selection disabled:

<AutomaticCertSelection UserControllable="false">false</AutomaticCertSelection>

Any suggestions? thanks!

Jan Rolny · ‎02-06-2014

Hi,

I already had this problem and option you descibed helped me. So it depends on where your profile is stored and what system you are using.

On my Win7 default profile path is:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\AnyConnectProfile.xml

And option which enable certificate selection is:

false

Please restart Anyconnect services after profile modification or restart your system.

Also try to run Anyconnect client "Run as administrator"

Best regards,

Jan

heiki saaver · ‎02-06-2014

thats funny because that is exactly how im running this.

Can you also choose between connection profiles when prompted to choose certificate?

What I really need is to choose between certificates AND an option to authenticate with plain AAA only.

Because I can choose AAA authentication (or any other connection profile) only when certificate-based validation fails.

Jan Rolny · ‎02-06-2014

Hi,

if I understand you well you want two selection options during logging in to VPN.

It is possible and it depends on how you configure VPN on ASA side. If you will have more VPN profiles, one will have certificate selection and another will have simple LOCAL AAA authentication so finally client will offer you this two options in combo box.

So have you solved your problem with cert. selection?

Best regards,

Jan

heiki saaver · ‎02-06-2014

No, the issue is not resolved. I fixed the connection profile selection issue- I forgot I had previously done a certificate to connection profile mapping.

But still, not prompted for certificate selection. If I find a solution I will update.

thanks for the help so far!

Jan Rolny · ‎02-07-2014

Hi,

what I woul try is uninstall Anyconnect client then backup your profile folder then remove this profile folder and install Anyconnect client again from scratch.

With clear profile I would modify just AutomaticCertSelection option and then restart computer.

I also has experience with computers which are in domain. Sometimes Anyconnect have not sufficient privileges to look insisde certstore of Windows system. When I installed new system and used same configuration from computer with domain policy so it worked with no problem.

Also check anyconnect logs in event viewer.

Jan