cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
70810
Views
31
Helpful
15
Replies

[SOLVED ]Anyconnect fails to use Machine Certificate for authentication

dimensyssrl
Level 1
Level 1

Hello.

I'm facing an annoying problem.

I'm trying to use a machine certificate to authenticate anyconnect to an asa.

All works properly if end user is an administrator.

If I try to connect with a non-administrator user, it fails to use the certificate (No valid certificates available for authentication).

I read many posts and docs, I've found that we must set "Certificate Store Override" to permit to anyconnect to open machine certificate using service account, but also checking this setting it doesn't work.

I've double checked xml profile into client, and it's downloaded properly (it contains "true" in "Certificate Store Override" setting).

But, checking security event viewer, I can see that anyconnect try to open the store using the user account and not the service account.

Tried with different versions of anyconnect (3.x and 4.x), with no luck.

I've followed this document:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html

and it looks like the only necessary thing is to check "Certificate Store Override" and to be sure that xml is downloaded to client.

Any help will be greatly appreciated.

Daniele

15 Replies 15

dimensyssrl
Level 1
Level 1

[SOLVED]

Anyconnect, olny using Machine Certificate, double check ASA SSL Cert, and it wants that the certificate match the name of the connection entry.

For example, of you connect to testvpn@example.com

on the ASA you need a cert issued to that name, or at least *.example.com.

The entry, into profile xml file, cannot be an ip address, but a fqdn.

Hope to be useful.

Daniele

patrick.ryan
Level 1
Level 1

Hello, I have the exact same problem. I can get the client working fine if it is run as an administrator and I use admin credentials and then log in as the end user. However, our users are not admins either local or domain. Did you ever find out how to get it working?

You need to have the setting "Certificate Store Override" checked in the profile editor. This grants Anyconnect admin privileges to pick a certificate from the machine store when a non-domain user connects. Also, set the "Certificate Store" option the profile to Machine or Both to allow it to look at the machine store for the cert.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-00000061

Also, your ASA SSL cert should be trusted by the client. You should not receive an untrusted cert error when connecting to the ASA.

I have both of those settings as you mention but still get the certificate validation error unless I run the client as an admin with admin credentials. Normal users are not able to connect. There was previously no client profile and I added one to the group policy so I could  make these settings you mention.   So still stuck with non admins not being able to connect the client. 

Ok, Do you have the ASA FQDN in the Server list for the profile? The profile settings don't take effect unless you have the ASA fqdn (eq vpn.domain.com) in the host address field. Also, the FQDN must match the name of the SSL cert that the ASA presents during the handshake.

Thanks Rahul! That has it working. Only now it asks me to approve (certificate selection) the certificate each time either as the non admin user or even the admin user. 

There is a setting in the profile to disable this. Uncheck "disable automatic certain selection" to get past this. Should be under preferences. 

I tried that but still it asks to choose a certificate each time, for both admin and  non admin users. I can select the local machine certificate and it goes forward and connects but this is a nuisance for it to ask each time. ...

Update. It eventually went away and stopped  asking me to choose a certificate. Thanks for saving me a ton of time and effort Rahul. I just saw your reply come through about second connection, which is what must have been the case. 

Did you change the setting on the ASA? The setting would take effect only on the second connection - it updates the profile on the first connection.

@Rahul Govindan, let us say i have an existing anyconnect profile then I changed my tunnel group authentication from AAA to AAA+certificate and then I change the profile settings for example I set my certificate store to machine since we don't have user cert and check the certificate override then I deploy it.

 

Can the users still can connect to the VPN even if they still doesn't have the updated profile? Remember, my tunnel group setting is now AAA+certificate.

@fatalXerror: They might be able to. Even without an AnyConnect client profile, the AnyConnect client may be able to look at machine store, provided they have Admin rights. The cert Store override feature explanation is this:

 

Certificate Store OverrideAllows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store when the users do not have administrator privileges on their device.

Note

You must have a pre-deployed profile with this option enabled in order to connect with Windows using a machine certificate. If this profile does not exist on a Windows device prior to connection, the certificate is not accessible in the machine store, and the connection fails.

Hi @Rahul Govindan, Thank you for detailed explanation!

Is there is some workaround in case if the user machine didn't have a predeployed profile with Certificate Store Override option enabled?

Hi Guys, I set the Certificate Store Override  option enabled and still not working.

miteshrm
Level 1
Level 1

I tried everything mentioned in the post but none of the configuration/settings helped me to achieve Machine Authentication via AnyConnect over Remote VPN on ASA. Then I did below and it is working seamlessly on Windows machine.

 

We need to at least allow Read Only Access to the Private Key of the Certificate...By default rights are only with System & Administrator

 

1. Open MMC using admin rights and select machine certificate

2. Right click and under All Tasks, select manage private keys

3. Add the user (AD user) you want to be able to access the private key.

 

Note - To avoid security issues ensure to grant Read Only access and not Full Control

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: