07-24-2015 02:12 PM - edited 02-21-2020 08:21 PM
My title says it all.
Is there anyway to have AnyConnect access the machine certificate store on Windows 7 without requiring the AnyConnect application run as admin?
Is there some setting to override this requirement? in the profile xml, through windows gpo, etc.
What are others doing when they hit this issue?
07-24-2015 02:43 PM
Certificate Store Override - Allows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store when the users does not have administrator privileges on their device.
From :
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html
07-24-2015 04:51 PM
Hi,
Thanks for replying. No. That does not work. I have already tried that option. I confirmed it was in the .xml and it still does not work.
Besides, my user has full admin rights on the test machine.
07-24-2015 04:53 PM
Hmm, thats usually all that's needed. Did you also select the machine store in your profile?
07-30-2015 05:07 PM
Yes. Machine store is selected. We have had it happen on two different ASA installations and two different test clients.
Any debug tools would be appreciated. Thanks.
07-24-2015 04:54 PM
Oh, btw, how are you debugging to see that anyconnect can't find the certificate ?
12-07-2017 10:07 AM
12-07-2017 10:42 AM
Additional Data: I am running the new Firepower 2100 series, with the first generation of software that supported Anyconnect on Firepower.
SOLVED/UPDATE: With the changes to the profile as stated above (Certificate Store Override and Store = Machine), I was still getting the error message. I found another thread here in the forums that referenced the idea that the hostname used in the profile must match that replied to by the ASA (FP in my case). In my case, the ASA was responding with the CN/Subject Name field. My Server list was using one of the Subject Alternative Names (SAN). So there was no trust problem. In troubleshooting this, I realized that the during my troubleshooting, the network I was on had stopped resolving the server list's hostname altogether. Instead of giving me a "Unable to resolve host" message, the Anyconnect client was still insisting on giving me "No valid certificates available for authentication". I was able to repeat this at will. If I can't resolve the destination, the error message is quite misleading.
I am now able to connect using one of the SANs in the firepower's certificate. The client uses the local machine certificate even though I do not have administrative rights on the machine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide