10-18-2016 02:30 AM - edited 02-21-2020 09:01 PM
Hello.
I'm facing an annoying problem.
I'm trying to use a machine certificate to authenticate anyconnect to an asa.
All works properly if end user is an administrator.
If I try to connect with a non-administrator user, it fails to use the certificate (No valid certificates available for authentication).
I read many posts and docs, I've found that we must set "Certificate Store Override" to permit to anyconnect to open machine certificate using service account, but also checking this setting it doesn't work.
I've double checked xml profile into client, and it's downloaded properly (it contains "true" in "Certificate Store Override" setting).
But, checking security event viewer, I can see that anyconnect try to open the store using the user account and not the service account.
Tried with different versions of anyconnect (3.x and 4.x), with no luck.
I've followed this document:
and it looks like the only necessary thing is to check "Certificate Store Override" and to be sure that xml is downloaded to client.
Any help will be greatly appreciated.
Daniele
07-11-2022 04:14 AM
@miteshrm wrote:
We need to at least allow Read Only Access to the Private Key of the Certificate...By default rights are only with System & Administrator
Note - To avoid security issues ensure to grant Read Only access and not Full Control
This is great hint, it helped to resolve the problem with one test machine and gather more evidence.
Hoverer, the more global and scalable solution is to predeploy profile with Certificate Store Override option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide