[SOLVED ]Anyconnect fails to use Machine Certificate for authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2016 02:30 AM - edited 02-21-2020 09:01 PM
Hello.
I'm facing an annoying problem.
I'm trying to use a machine certificate to authenticate anyconnect to an asa.
All works properly if end user is an administrator.
If I try to connect with a non-administrator user, it fails to use the certificate (No valid certificates available for authentication).
I read many posts and docs, I've found that we must set "Certificate Store Override" to permit to anyconnect to open machine certificate using service account, but also checking this setting it doesn't work.
I've double checked xml profile into client, and it's downloaded properly (it contains "true" in "Certificate Store Override" setting).
But, checking security event viewer, I can see that anyconnect try to open the store using the user account and not the service account.
Tried with different versions of anyconnect (3.x and 4.x), with no luck.
I've followed this document:
and it looks like the only necessary thing is to check "Certificate Store Override" and to be sure that xml is downloaded to client.
Any help will be greatly appreciated.
Daniele
- Labels:
-
AnyConnect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2022 04:14 AM
@miteshrm wrote:
We need to at least allow Read Only Access to the Private Key of the Certificate...By default rights are only with System & Administrator
Note - To avoid security issues ensure to grant Read Only access and not Full Control
This is great hint, it helped to resolve the problem with one test machine and gather more evidence.
Hoverer, the more global and scalable solution is to predeploy profile with Certificate Store Override option.

- « Previous
-
- 1
- 2
- Next »