AnyConnect client 2.4 and machine certficate

Unanswered Question
Oct 23rd, 2009

Hi All!

I'm trying to configure AnyConnect to use our domain issued machine certificate for authentication together with radius otp password.

My problem is that the AnyConnect client does not find my machine certficate.

I have configured an xml file with:


<AutomaticCertSelection UserControllable="false">false</AutomaticCertSelection>

The Anyconnect client starts and I see a popup with "Looking for credential tiles" and directly "No certficates found", this on a Windows 7 and on a Windows XP I also get an popup to choose certficate but it is empty.

Also see part of a message that I do believe means "No certificates meet the application criteria" on the Windows 7 machine.

Please, anyone else that has tried this and have some suggestions, really need this to work!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Fri, 10/23/2009 - 13:34

1. can you confirm if machine cert is installed?

2. can you confirm if the user has the right to access machine cert.

If I remember correctly, "true" should let regular user to use "machine cert".

AgressoAB Sun, 10/25/2009 - 04:49

Thanks for replying! :)

Yes, the machine cert is there and i'm local admin on the computer, also tried the CertificateStoreOverride in the xml file but no luck.

There must be some kind of criteria that the AnyConnect client looks at but cannot find in my cert?

Is the config one the firewall involved in this first stage when the AnyConnect client looks for the certificate, could it be a config error on the firewall?

Yudong Wu Mon, 10/26/2009 - 09:17

If PC does have the machine cert and user does have the access right to it, could you please verify if your machine cert is valid?

Based on "get an popup to choose certificate but it is empty", I am thinking a issue with your machine cert.

On ASA side, do you have ID cert and CA cert installed?

AgressoAB Mon, 10/26/2009 - 11:31

Yes, ID cert and CA cert install, it works.

The machine cert worked when I tried the Cisco IPSEC VPN client, it finds it and I can connect and authenticate, but not with the AnyConnect.



Yudong Wu Mon, 10/26/2009 - 14:37

can you try to disable "User Account Control" and try it again?

If it still does not work, please open a case with TAC.

AgressoAB Tue, 10/27/2009 - 04:38

UAC disabled, same error, TAC case opened, thanks for your help!



This Discussion