11-07-2019 06:37 AM - edited 02-21-2020 09:48 PM
Having an issue while testing SBL. I am unable to configure SBL to prompt end user to select certificate. SBL is defaulting to the wrong certificate. I have tweaked profile preferences, as well as Activclient local policy on machine. Does anyone know how to get SBL to prompt user to select certificate? Thanks in advance!
Solved! Go to Solution.
11-07-2019 11:02 AM
Hi Mike,
I have verified that SBL does not allow the use of manual certificate selection. Automatic certificate selection is hardcoded for the SBL use case. If possible I would suggest the use of certificate matching rules in the AnyConnect profile to force the client to use the correct certificate. This may not be possible if you don't have some criteria that is different between the two certificates.
Thanks,
Steve S.
11-07-2019 12:37 PM - edited 11-07-2019 01:35 PM
@stsargen Thanks for the validation. So essentially I want SBL based on the AC profile config to do a cert match to pull the piv and not the signature certificate.
**Edited Post**
The above configuration in the AC profile editor works as a solution to select the PIV over the Signature cert when using SBL.
11-07-2019 06:47 AM
11-07-2019 07:02 AM
11-07-2019 07:46 AM
Hi Mike,
Do you have any certificate matching rules in the profile that may be bypassing the certificate selection?
Steve S.
11-07-2019 08:56 AM
11-07-2019 11:02 AM
Hi Mike,
I have verified that SBL does not allow the use of manual certificate selection. Automatic certificate selection is hardcoded for the SBL use case. If possible I would suggest the use of certificate matching rules in the AnyConnect profile to force the client to use the correct certificate. This may not be possible if you don't have some criteria that is different between the two certificates.
Thanks,
Steve S.
11-07-2019 12:37 PM - edited 11-07-2019 01:35 PM
@stsargen Thanks for the validation. So essentially I want SBL based on the AC profile config to do a cert match to pull the piv and not the signature certificate.
**Edited Post**
The above configuration in the AC profile editor works as a solution to select the PIV over the Signature cert when using SBL.
11-07-2019 06:12 PM
Hi Mike,
Glad to here this is working. I was in process of setting up my PIV 5 test card to verify. No need to do that now.
Steve S.
03-31-2020 09:01 AM
This tweak fixed my cert list problem, but now I get a different error. "No valid certificates available for authentication". This the stops me get a needed Kerberos certificate to join my domain or authenticate at my Domain Controller. Any ideas?
We use Activclient 7.1 as a card reader software.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide