10-18-2016 02:30 AM - edited 02-21-2020 09:01 PM
Hello.
I'm facing an annoying problem.
I'm trying to use a machine certificate to authenticate anyconnect to an asa.
All works properly if end user is an administrator.
If I try to connect with a non-administrator user, it fails to use the certificate (No valid certificates available for authentication).
I read many posts and docs, I've found that we must set "Certificate Store Override" to permit to anyconnect to open machine certificate using service account, but also checking this setting it doesn't work.
I've double checked xml profile into client, and it's downloaded properly (it contains "true" in "Certificate Store Override" setting).
But, checking security event viewer, I can see that anyconnect try to open the store using the user account and not the service account.
Tried with different versions of anyconnect (3.x and 4.x), with no luck.
I've followed this document:
and it looks like the only necessary thing is to check "Certificate Store Override" and to be sure that xml is downloaded to client.
Any help will be greatly appreciated.
Daniele
10-26-2016 04:06 AM
[SOLVED]
Anyconnect, olny using Machine Certificate, double check ASA SSL Cert, and it wants that the certificate match the name of the connection entry.
For example, of you connect to testvpn@example.com
on the ASA you need a cert issued to that name, or at least *.example.com.
The entry, into profile xml file, cannot be an ip address, but a fqdn.
Hope to be useful.
Daniele
01-18-2017 02:25 PM
Hello, I have the exact same problem. I can get the client working fine if it is run as an administrator and I use admin credentials and then log in as the end user. However, our users are not admins either local or domain. Did you ever find out how to get it working?
01-18-2017 04:58 PM
You need to have the setting "Certificate Store Override" checked in the profile editor. This grants Anyconnect admin privileges to pick a certificate from the machine store when a non-domain user connects. Also, set the "Certificate Store" option the profile to Machine or Both to allow it to look at the machine store for the cert.
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-00000061
Also, your ASA SSL cert should be trusted by the client. You should not receive an untrusted cert error when connecting to the ASA.
01-19-2017 09:35 AM
I have both of those settings as you mention but still get the certificate validation error unless I run the client as an admin with admin credentials. Normal users are not able to connect. There was previously no client profile and I added one to the group policy so I could make these settings you mention. So still stuck with non admins not being able to connect the client.
01-19-2017 09:43 AM
Ok, Do you have the ASA FQDN in the Server list for the profile? The profile settings don't take effect unless you have the ASA fqdn (eq vpn.domain.com) in the host address field. Also, the FQDN must match the name of the SSL cert that the ASA presents during the handshake.
01-19-2017 10:06 AM
Thanks Rahul! That has it working. Only now it asks me to approve (certificate selection) the certificate each time either as the non admin user or even the admin user.
01-19-2017 10:12 AM
There is a setting in the profile to disable this. Uncheck "disable automatic certain selection" to get past this. Should be under preferences.
01-19-2017 10:30 AM
I tried that but still it asks to choose a certificate each time, for both admin and non admin users. I can select the local machine certificate and it goes forward and connects but this is a nuisance for it to ask each time. ...
Update. It eventually went away and stopped asking me to choose a certificate. Thanks for saving me a ton of time and effort Rahul. I just saw your reply come through about second connection, which is what must have been the case.
01-19-2017 10:30 AM
Did you change the setting on the ASA? The setting would take effect only on the second connection - it updates the profile on the first connection.
10-16-2018 11:26 PM
@Rahul Govindan, let us say i have an existing anyconnect profile then I changed my tunnel group authentication from AAA to AAA+certificate and then I change the profile settings for example I set my certificate store to machine since we don't have user cert and check the certificate override then I deploy it.
Can the users still can connect to the VPN even if they still doesn't have the updated profile? Remember, my tunnel group setting is now AAA+certificate.
10-17-2018 05:15 AM
@fatalXerror: They might be able to. Even without an AnyConnect client profile, the AnyConnect client may be able to look at machine store, provided they have Admin rights. The cert Store override feature explanation is this:
Certificate Store Override—Allows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store when the users do not have administrator privileges on their device.
Note |
You must have a pre-deployed profile with this option enabled in order to connect with Windows using a machine certificate. If this profile does not exist on a Windows device prior to connection, the certificate is not accessible in the machine store, and the connection fails. |
03-31-2020 06:20 AM
Hi @Rahul Govindan, Thank you for detailed explanation!
Is there is some workaround in case if the user machine didn't have a predeployed profile with Certificate Store Override option enabled?
10-30-2020 09:09 AM
Hi Guys, I set the Certificate Store Override option enabled and still not working.
06-12-2021 09:07 AM
I tried everything mentioned in the post but none of the configuration/settings helped me to achieve Machine Authentication via AnyConnect over Remote VPN on ASA. Then I did below and it is working seamlessly on Windows machine.
We need to at least allow Read Only Access to the Private Key of the Certificate...By default rights are only with System & Administrator
1. Open MMC using admin rights and select machine certificate
2. Right click and under All Tasks, select manage private keys
3. Add the user (AD user) you want to be able to access the private key.
Note - To avoid security issues ensure to grant Read Only access and not Full Control
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide