Re: Machine certificate authenticaton requires AnyConnect to "run as administrator" on Windows 7

tmpoff · ‎07-24-2015

My title says it all.

Is there anyway to have AnyConnect access the machine certificate store on Windows 7 without requiring the AnyConnect application run as admin?

Is there some setting to override this requirement? in the profile xml, through windows gpo, etc.

What are others doing when they hit this issue?

jan.nielsen · ‎07-24-2015

Certificate Store Override - Allows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store when the users does not have administrator privileges on their device.

From :

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html

tmpoff · ‎07-24-2015

Hi,

Thanks for replying. No. That does not work. I have already tried that option. I confirmed it was in the .xml and it still does not work.

Besides, my user has full admin rights on the test machine.

jan.nielsen · ‎07-24-2015

Hmm, thats usually all that's needed. Did you also select the machine store in your profile?

tmpoff · ‎07-30-2015

Yes. Machine store is selected. We have had it happen on two different ASA installations and two different test clients.

Any debug tools would be appreciated. Thanks.

jan.nielsen · ‎07-24-2015

Oh, btw, how are you debugging to see that anyconnect can't find the certificate ?

jerecassidy · ‎12-07-2017

I know this issue is 2+ years old, but any fix? I am running into this today.

I have a valid machine cert issued by MS PKI via Group Policy in the local client's certificate store (Computer) that has EKU of "Client Authentication" and "Server Authentication". The user that logs into this client cannot see this store with the mmc snapin, but I've used the Profile editor and specified Certificate Store = Machine and Certificate Store Override. When the client tries to connect, the client indicates "no valid certificates available for authentication".

just as an fyi - if I have the user request a User certificate from the same PKI CA server that issued the computer certificate, I am able to connect - but issuing user certificates is not desirable for my client. Thanks much!

jerecassidy · ‎12-07-2017

Additional Data: I am running the new Firepower 2100 series, with the first generation of software that supported Anyconnect on Firepower.

SOLVED/UPDATE: With the changes to the profile as stated above (Certificate Store Override and Store = Machine), I was still getting the error message. I found another thread here in the forums that referenced the idea that the hostname used in the profile must match that replied to by the ASA (FP in my case). In my case, the ASA was responding with the CN/Subject Name field. My Server list was using one of the Subject Alternative Names (SAN). So there was no trust problem. In troubleshooting this, I realized that the during my troubleshooting, the network I was on had stopped resolving the server list's hostname altogether. Instead of giving me a "Unable to resolve host" message, the Anyconnect client was still insisting on giving me "No valid certificates available for authentication". I was able to repeat this at will. If I can't resolve the destination, the error message is quite misleading.

I am now able to connect using one of the SANs in the firepower's certificate. The client uses the local machine certificate even though I do not have administrative rights on the machine.