- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2023 11:36 AM
I've gone through a couple of documents for setting up AnyConnect with Azure SAML. The configuration part seemed to go fine, but when the VPN client tried to connect it returns the "cisco secure client authentication failed due to problem verifying server certificate" error. The ASA certificate was issued by an internal CA and both the ASA and client trust this CA.
Not sure what I'm missing here?
Any help would be appreciated.
Solved! Go to Solution.
- Labels:
-
Remote Access
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2023 10:21 AM
This error happens when the server certificate is not trusted by the PC. Untrusted server certificates are not supported with an Embedded Browser:
------------------------------------------------------------------------------------------------------
When using SAML with Secure Client, follow these guidelines:
- Untrusted server certificates are not allowed in the embedded browser.
------------------------------------------------------------------------------------------------------
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-remote-access.html#reference_pdf_cx3_psb
In order to troubleshoot this issue please open a browser and visit the same URL that you have in your connection profile. Do you see browser error informing about untrusted certificate? If yes then internal root CA and/or subCA certificate is not installed correctly.
Location where certificates should be installed depends on the browser and the operating system. For example Firefox by default does not use system store and has it's own one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2023 04:54 PM
You need to confirm if the SSL handshake is getting completed before we look into troubleshooting SAML.
Try taking capture on the outside interface and dump it into pcap and analyze in wireshark. Capture command for reference:-
capture capout interface outside match ip host <FW-Outside-IP> <Client-Public-IP>
sh cap capout dump
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2023 05:45 AM
Hi Pavan,
Thanks for the info. I ran the capture, but I'm not sure what I'm looking for. From what I can see the handshake is complete. There is a line "TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)" that kind of sticks out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2023 06:42 AM
What kind of certificate is this? A self signed one or is it signed by some well trusted CA?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2023 06:45 AM
No. The ASA certificate was issued by an internal CA and both the ASA and client trust this CA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2023 06:55 AM
Can you send those captures and also the DART bundle with timestamp if there is DART module installed on your secure client?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2023 07:00 AM
Where can I send it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2023 06:51 AM
Mark, were you able to find a solution? I am having the exact same problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2023 11:33 PM
Because SSO is in use, with multiple communication flows, including Azure sending assertion back to ASA, certificate on the public side must be signed by public/trusted CA. If Internal PKI is used, errors like these happens, regardless of ASA and client trust eachother (Azure doesn't trust your PKI).
Kind regards,
Milos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2023 10:21 AM
This error happens when the server certificate is not trusted by the PC. Untrusted server certificates are not supported with an Embedded Browser:
------------------------------------------------------------------------------------------------------
When using SAML with Secure Client, follow these guidelines:
- Untrusted server certificates are not allowed in the embedded browser.
------------------------------------------------------------------------------------------------------
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-remote-access.html#reference_pdf_cx3_psb
In order to troubleshoot this issue please open a browser and visit the same URL that you have in your connection profile. Do you see browser error informing about untrusted certificate? If yes then internal root CA and/or subCA certificate is not installed correctly.
Location where certificates should be installed depends on the browser and the operating system. For example Firefox by default does not use system store and has it's own one.
