[SOLVED ]Anyconnect fails to use Machine Certificate for authentication - Page 2

dimensyssrl · ‎10-18-2016

Hello.

I'm facing an annoying problem.

I'm trying to use a machine certificate to authenticate anyconnect to an asa.

All works properly if end user is an administrator.

If I try to connect with a non-administrator user, it fails to use the certificate (No valid certificates available for authentication).

I read many posts and docs, I've found that we must set "Certificate Store Override" to permit to anyconnect to open machine certificate using service account, but also checking this setting it doesn't work.

I've double checked xml profile into client, and it's downloaded properly (it contains "true" in "Certificate Store Override" setting).

But, checking security event viewer, I can see that anyconnect try to open the store using the user account and not the service account.

Tried with different versions of anyconnect (3.x and 4.x), with no luck.

I've followed this document:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html

and it looks like the only necessary thing is to check "Certificate Store Override" and to be sure that xml is downloaded to client.

Any help will be greatly appreciated.

Daniele

SergGu · ‎07-11-2022

@miteshrm wrote:

We need to at least allow Read Only Access to the Private Key of the Certificate...By default rights are only with System & Administrator

Note - To avoid security issues ensure to grant Read Only access and not Full Control

This is great hint, it helped to resolve the problem with one test machine and gather more evidence.

Hoverer, the more global and scalable solution is to predeploy profile with Certificate Store Override option.