Currently I'm using ASDM

Hi,

Please follow these steps and check if it helps you:

 Install CA Certificate(s) to allow the ASA to trust the issuer of the SCEP ID Cert installed on the client.

    - Best Practice: Install all CA Certificates from the ASA & AnyConnect issuing CA(s) all the way up the chain to the root CA

    - Note that the log message indicates which ca certificates are already installed (RESIDENT CERT) and which have not been installed yet (NON-RESIDENT CERT).

You can also check if the XML profile being used is correct.

Regards,

Aditya

Thank you for the help.  I think im getting closer.  I eneded up going into the IIS manager on server 2012r2 and set the max count to 65384.  Now i can authenicate using both user and certificate and i see the cetificate in the CA but when i go to connect now i still get the untrusted server error and ask if i want to continue?  What am i doing wrong?  I must not have something set up right on the certificate.  Common name maybe?

Thank you 

Hi Computerwiz24,

Do your PC from where you are trying to connect to VPN have the local CA certificate in trusted CA certificate list?

No it doesn't.  It is in the personal certificate folder?

You have to add that to the CA trusted list. 

Since I have the identity certificate shouldn't it be a trusted certificate already or will I have to move it into trusted certificates on each pc?  Do I have something wrong on the identity certificate and that's why it's not trusted?

thank you 

I think you need to add your Local CA certificate (which you get with identity certificate) to Trusted CA list by right clicking on it. Just check the "Entrerprise Trust" and "Untrusted Certificate" under certificate Manager see highlighted in attachment.