AnyConnect w/ Certificate: Certificate invalid for this group

hwillenborg · ‎07-26-2010

Hello,

Situation:

About 100 VPN Clients allover the world, Version 2.5.0217
Using Certificates from a Microsoft CA
AnyConnect works fine on almost all computers with XP / Vista / Windows 7
- On Windows 7 the root certificate must be installed manually (Certificate Web Service using Windows 2003 Server)
AnyConnect won't work from some laptops in Australia (Windows 7 Home, IE 8). Error Message Certificate is invalid for this group
- The same message appears when a certificate is revoked for a working installation
- I tried the same Root Certificate and Personal Certificate (imported the same fiels) on another computer in Germany: Worked

Could not find any help in the

FAQ
Troubleshooting Guide
Administration Guide

Has anybody experienced such a behaviour?

Facts:

Since the Gateway is in Germany, ping times are around 330ms from Australia.
We also tried intranet connection and internt connection, same message.

I wonder if there are Security Settings within the Internet Explorer which cause this error. The ASA web access does not work, too. (It asks for the personal certificate, then it won't continue, telling "This page cannot be displayed" in IE 8)

mulatif · ‎07-28-2010

Possibly looks like SSL Handshkae failure, since you cannot connect from the browser also. What client certificate are you presenting to the ASA ? Make sure that the EKU (Enhanced Key Usage) extension in the Client certificate includes the "Client Authentication" capability.

A packet capture for the SSL failure will also help.

Does browser access through any other browser works ? (E.g. Firefox)

sjbdallas · ‎08-05-2010

Did you get an answer for this? I'm seeing a similar issue.

hwillenborg · ‎08-05-2010

Hello Steven,

no, I am sorry. It turned to be a problem if exactly one computer and we decided not to follow this up anymore.

Regards

Holger

hwillenborg · ‎08-05-2010

Steven,

I had an issue first to install the Root certificates on the Windows 7 machines. Instead of using "Select storage automatically" you have to select it manually (Trusted Root Certification Authorities and if this is not enough, a second time into Intermiediate Cert. Auth.)

Maybe this helps for you

Regards

Holger

Saquib Khan · ‎01-09-2011

Hi Steve,

Just wondering if you were able to resolve this issue as I am having the same issue ?

I have gotten around the issue by deleting the user in ACS as we use ACS as the radius server. The user is again dynamically created in ACS and the certificate issue disappears, however before deleting the user, I can log in fine from another workstation with my credentials and the issue is not present when logging from a different workstation. There are new anyconnect clients that seem to resolve some certificate issues, but that did not help either. Tried deleting cached and profiles and that did not help either. Deleting the user from ACS is not a good solution.

cheery Tomato · ‎07-30-2012

For myself the error was related to Authentication under the Connection Profile.> Advanced

Under the Connection Profile it was configured to Pre-fill Username from Certificate but Use script to select username was configured with -None- so caused the error.

A few years late but hope this helps someone.