06-22-2017 10:47 AM - edited 02-21-2020 09:20 PM
some of my VPN-Clients get untrusted certificate for Anyconnect client 3.1 But some do not.
Is there any reason why this would happen I have checked Certs on the tokens and all of them have the correct certs but only some have the issue of untrusted VPN server certification.
Thank you,
Joel
Solved! Go to Solution.
06-24-2017 04:39 AM
"Windows does not have enough information to verify this cert" usually means your server certificate is not issued by a trusted CA. You would need to check what certificate is being received by client during SSL handshake with the ASA. The easiest way to do this is through a browser session to the VPN url. You can also capture the ssl handshake using Wireshark and see this if you want.
06-22-2017 11:07 AM
Is it possible that there is another device in between presenting another SSL cert? I have seen it happen when clients connect via Hotel wifi. According to your screenshot, it seems to be receiving a cert that
1) had the "issued to" wrong name
2) was issued by an untrusted ca
3) did not have the right Key usage attribute
Chances of all 3 conditions failing seem odd. I would suggest them trying to access the url via a browser and see which certificate they receive back (IE red lock sign near the URL). That will give you an idea of what could be different for these users.
Hope this helps.
06-22-2017 12:07 PM
I get the red shield, on other users.
It also says that the cert could not be found on the local machine.
Is it that the cert is not being pulled from the token?
06-22-2017 12:57 PM
The red shield and the error pasted above is seen when the ASA server certificate validation fails. The certs from the tokens, if I understand correctly, are mean for client certificate validation. There are 2 separate steps, with client cert validation taking place after server certificate (ASA) is validated by the client. I do not think they are related.
If you click on the red shield, can you see what certificate details show up? Does it show the subject name of your ASA?
06-23-2017 06:33 AM
So yesterday I dug deep into this and it is a windows issue not pulling the Certs correctly off of the token. I thought it was a token to user issue before but on certain client devices it gives you the error of: "Windows does not have enough information to verify this cert"
I appreciate the leads that you gave me. When I check the SSL it gave me that error and when I dug deeper into certmgr.msc it gave me the above error message.
06-24-2017 04:39 AM
"Windows does not have enough information to verify this cert" usually means your server certificate is not issued by a trusted CA. You would need to check what certificate is being received by client during SSL handshake with the ASA. The easiest way to do this is through a browser session to the VPN url. You can also capture the ssl handshake using Wireshark and see this if you want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide