cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4307
Views
5
Helpful
8
Replies

AnyConnect SBL (start before logon)

Mike.Cifelli
VIP Alumni
VIP Alumni

Having an issue while testing SBL.  I am unable to configure SBL to prompt end user to select certificate.  SBL is defaulting to the wrong certificate.  I have tweaked profile preferences, as well as Activclient local policy on machine.  Does anyone know how to get SBL to prompt user to select certificate?  Thanks in advance!

2 Accepted Solutions

Accepted Solutions

Hi Mike,

I have verified that SBL does not allow the use of manual certificate selection.  Automatic certificate selection is hardcoded for the SBL use case.  If possible I would suggest the use of certificate matching rules in the AnyConnect profile to force the client to use the correct certificate.  This may not be possible if you don't have some criteria that is different between the two certificates.

Thanks,

Steve S.

View solution in original post

@stsargen Thanks for the validation.  So essentially I want SBL based on the AC profile config to do a cert match to pull the piv and not the signature certificate.  

AC_prof_cer_mtc.PNG

**Edited Post**

The above configuration in the AC profile editor works as a solution to select the PIV over the Signature cert when using SBL.

View solution in original post

8 Replies 8

Hi,
Try "Disable Automatic Certificate Selection"/"User Controllable" in the Preferences Part 2 section in the AnyConnect VPN Profile Editor"?

I think that directly relates to <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection> in the XML profile.

HTH

You are correct in that. However, I have attempted this & it did not solve the issue.

Hi Mike,

 

Do you have any certificate matching rules in the profile that may be bypassing the certificate selection?

 

Steve S.

Double-checked and I do not. Still no dice for cert prompt when running SBL. However, if I login with cached credentials and then initiate the vpn connection I get prompted to select a cert.

Hi Mike,

I have verified that SBL does not allow the use of manual certificate selection.  Automatic certificate selection is hardcoded for the SBL use case.  If possible I would suggest the use of certificate matching rules in the AnyConnect profile to force the client to use the correct certificate.  This may not be possible if you don't have some criteria that is different between the two certificates.

Thanks,

Steve S.

@stsargen Thanks for the validation.  So essentially I want SBL based on the AC profile config to do a cert match to pull the piv and not the signature certificate.  

AC_prof_cer_mtc.PNG

**Edited Post**

The above configuration in the AC profile editor works as a solution to select the PIV over the Signature cert when using SBL.

Hi Mike,

Glad to here this is working.  I was in process of setting up my PIV 5 test card to verify.  No need to do that now.

Steve S.

martinsm1
Level 1
Level 1

This tweak fixed my cert list problem, but now I get a different error. "No valid certificates available for authentication". This the stops me get a needed Kerberos certificate to join my domain or authenticate at my Domain Controller. Any ideas?

We use Activclient 7.1 as a card reader software.