Does anyone have any experience of Anyconnect not being able to find a valid user certificate despite one being in the Microsoft User Store?
The situation is we use EAP-FAST and multiple certificate authentication (MAchine and USer), Automatic and Always On VPN with fail open as the option.
Everything is ticking along happily for everyone, then randomly someone will call in with their device not being able to connect and Anyconnect errors with no valid user certificate. They can't browse the internet to send us a DART as a result of authentication failure (Fail close). The user and machine certificate is present on the machine still.
By deleting the certificate and enrolling for a new one, things start working again.
Things we have tried:
Rebooting the machine
Network repair on Anyconnect
I've not yet managed to get a DART from a machine thats broken as usually someone replaces the certificate and its to late. With everyone working remotely at the moment this problem is now exacerbated as we can't get the replacement on the machine as its securely locked down - we can do this in the office but we are not allowed to.
What causes this to happen? Is it Microsoft certificate store corrupting or something else? I can't see any obvious logs for the cause.
If you also deployed NAM profiles with certificate matching, so not automatic selection, it looks like a bug on AnyConnect or Windows side. What AC version are you using? A DART file would clearly help a lot, otherwise without understanding what happens on the endpoint you're kind of left guessing.
HI, the majority of laptops are on 4.7.00136 which was a mistake, and we are in the process of getting people to 4.7.04056. Anyone running either of those clients though does have the problem. The laptops are running the equivalent Anyconnect NAM and Umbrella clients.
I agree a DART is needed, I'm struggling to get one as a machine gets locked down once its not working, and we are not allowed to take them into the office to get them on the LAN to grab it and resolve the intial certificate problem.
In this case you got your answer, you would need to urgently upgrade AC. You could still do a DART on one of the PC's before upgrading, just for the fun of the engineer.
I somehow misunderstood the with the newer version there are no problems. Post the DART file, this is the important missing part, insight on the endpoint, and open a TAC case.