I'm facing an annoying problem.
I'm trying to use a machine certificate to authenticate anyconnect to an asa.
All works properly if end user is an administrator.
If I try to connect with a non-administrator user, it fails to use the certificate (No valid certificates available for authentication).
I read many posts and docs, I've found that we must set "Certificate Store Override" to permit to anyconnect to open machine certificate using service account, but also checking this setting it doesn't work.
I've double checked xml profile into client, and it's downloaded properly (it contains "true" in "Certificate Store Override" setting).
But, checking security event viewer, I can see that anyconnect try to open the store using the user account and not the service account.
Tried with different versions of anyconnect (3.x and 4.x), with no luck.
I've followed this document:
and it looks like the only necessary thing is to check "Certificate Store Override" and to be sure that xml is downloaded to client.
Any help will be greatly appreciated.
Anyconnect, olny using Machine Certificate, double check ASA SSL Cert, and it wants that the certificate match the name of the connection entry.
For example, of you connect to firstname.lastname@example.org
on the ASA you need a cert issued to that name, or at least *.example.com.
The entry, into profile xml file, cannot be an ip address, but a fqdn.
Hope to be useful.
Hello, I have the exact same problem. I can get the client working fine if it is run as an administrator and I use admin credentials and then log in as the end user. However, our users are not admins either local or domain. Did you ever find out how to get it working?
You need to have the setting "Certificate Store Override" checked in the profile editor. This grants Anyconnect admin privileges to pick a certificate from the machine store when a non-domain user connects. Also, set the "Certificate Store" option the profile to Machine or Both to allow it to look at the machine store for the cert.
Also, your ASA SSL cert should be trusted by the client. You should not receive an untrusted cert error when connecting to the ASA.
I have both of those settings as you mention but still get the certificate validation error unless I run the client as an admin with admin credentials. Normal users are not able to connect. There was previously no client profile and I added one to the group policy so I could make these settings you mention. So still stuck with non admins not being able to connect the client.
Ok, Do you have the ASA FQDN in the Server list for the profile? The profile settings don't take effect unless you have the ASA fqdn (eq vpn.domain.com) in the host address field. Also, the FQDN must match the name of the SSL cert that the ASA presents during the handshake.
Thanks Rahul! That has it working. Only now it asks me to approve (certificate selection) the certificate each time either as the non admin user or even the admin user.
There is a setting in the profile to disable this. Uncheck "disable automatic certain selection" to get past this. Should be under preferences.
I tried that but still it asks to choose a certificate each time, for both admin and non admin users. I can select the local machine certificate and it goes forward and connects but this is a nuisance for it to ask each time. ...
Update. It eventually went away and stopped asking me to choose a certificate. Thanks for saving me a ton of time and effort Rahul. I just saw your reply come through about second connection, which is what must have been the case.
Did you change the setting on the ASA? The setting would take effect only on the second connection - it updates the profile on the first connection.
@Rahul Govindan, let us say i have an existing anyconnect profile then I changed my tunnel group authentication from AAA to AAA+certificate and then I change the profile settings for example I set my certificate store to machine since we don't have user cert and check the certificate override then I deploy it.
Can the users still can connect to the VPN even if they still doesn't have the updated profile? Remember, my tunnel group setting is now AAA+certificate.
@fatalXerror: They might be able to. Even without an AnyConnect client profile, the AnyConnect client may be able to look at machine store, provided they have Admin rights. The cert Store override feature explanation is this:
Certificate Store Override—Allows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store when the users do not have administrator privileges on their device.
You must have a pre-deployed profile with this option enabled in order to connect with Windows using a machine certificate. If this profile does not exist on a Windows device prior to connection, the certificate is not accessible in the machine store, and the connection fails.
Hi @Rahul Govindan, Thank you for detailed explanation!
Is there is some workaround in case if the user machine didn't have a predeployed profile with Certificate Store Override option enabled?