Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
3
Replies

DUO SSO issue: problem retrieving the single sign-on cookie

Go to solution
maliseet
Level 1
Level 1

‎02-26-2025 08:20 AM - edited ‎02-26-2025 08:30 AM

I'm getting "Authentication failed due to problem retrieving the single sign-on cookie" with Cisco AnyConnect.  I'm in the process (still) of migrating from DUO LDAPS for ASA to their SSO solution.  Some background:

The ASA is a 5508-X.  AnyConnect version 4.10

The ASA gets its identity certificate from a local domain-joined CA.  It uses its fqdn for the subject (which we'll call "asa.domain.local" for now).

Since the domain is kept strictly within the bounds of the network, the only way to access the ASA from the outside is to either (a) know its IP address or (b) have its hostname included in the hosts file in the windows\system32\drivers\etc folder.

I've found I also have to manually import the certificate chain for the ASA (the certs for both the ASA and the CA that issued the cert), otherwise I'll get a "problem verifying server certificate" error.  That means grabbing the certificates off of the CA and either emailing them to the remote clients or using sneakernet with a USB stick with the certs on them.

Anyway, I'll run AnyConnect, enter the fqdn of the ASA.  The prompt will come up, awaiting for user input.  I select the SSO tunnel group under Group:, the SSO prompt will come up asking for my login information, I'll get the push notification to my phone, DUO will return with "Success!  Logging you in..."

 

and I get "problem retrieving the single sign-on cookie."



Eventvwr.msc will show the error. 

Source:  acwebhelper, Event ID 1, Information:
Function: CWebView2BrowserControl::navigationEndingHandler::<lambda_58a8fee41f502a99eac11db0e2279aa5>::operator ()
File: c:\temp\build\thehoff\phoenix_mr80.403803346583\phoenix_mr8\vpn\webhelper\windows\webview2browsercontrol.cpp
Line: 978
primary control navigated successfully to URL 'https : \\asa,domain,local/+CSCOE+/saml_ac_login.html  '. Final URL 'https : \\ asa,domain,local/+CSCOE+/saml_ac_login.html  '.

Source:  acwebhelper, Event ID 1, Error:
Function: CWebView2BrowserControl::getCookieHandler::<lambda_f478b239cfe0b75a390108b65e360dfb>::operator ()
File: c:\temp\build\thehoff\phoenix_mr80.403803346583\phoenix_mr8\vpn\webhelper\windows\webview2browsercontrol.cpp
Line: 598
primary control failed to retrieve cookie on final URL

Source:  acwebhelper, Event ID 1, Error:
Function: CWebView2BrowserControl::getCookieHandler::<lambda_f478b239cfe0b75a390108b65e360dfb>::operator ()
File: c:\temp\build\thehoff\phoenix_mr80.403803346583\phoenix_mr8\vpn\webhelper\windows\webview2browsercontrol.cpp
Line: 638
primary control sending browser result of 'ErrorCookie' with value: 1

Really hope I can get this fixed.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-26-2025 01:20 PM

Checking NTP synchronization between your ASA and Azure AD (or DUO SSO). Incorrect time settings can cause SAML assertion validation failure.

Here have look into these links may help you put in right direction.

https://community.cisco.com/t5/vpn/anyconnect-azure-ad-saml-sso-issue/td-p/4858980

https://community.cisco.com/t5/vpn/cisco-anyconnect-with-azure-single-sign-on-failing-with-problem/td-p/3380741

https://community.meraki.com/t5/Security-SD-WAN/Meraki-AnyConnect-VPN-quot-Authentication-failed-due-to-problem/m-p/203499


https://help.duo.com/s/article/5132?language=en_US

please do not forget to rate.
0 Helpful

Go to solution
maliseet
Level 1
Level 1
In response to Sheraz.Salim

‎02-26-2025 03:15 PM

The ASA is using NTP and matches the NTP server to the second; but sure enough, changing the request timeout to something *greater* than 301 seconds did the trick (plus a reload of the ASA).

Who thought having a time differential of over 5 minutes on Microsoft/DUO's end was a good idea?

Anyway, thanks for the input!  I'd have never have guessed it was because someone set their clocks 5 minutes off.

0 Helpful

Go to solution
maliseet
Level 1
Level 1
In response to Sheraz.Salim

‎02-26-2025 03:16 PM - edited ‎02-26-2025 03:16 PM

The ASA is synched with NTP to the second; but sure enough, changing the reply timeout to anything greater than 300 seconds did the trick (also the ASA needed to be reloaded).  Who thought setting their clocks off by 5 minutes was a good idea??

Thanks again!

0 Helpful
Customers Also Viewed These Support Documents