Hello to all
This problem seems to be bothering a lot of the ASA administrators around the world.
It also seems to be coincidences that determines whether or not you will be successful with this setup. (Just have a look at this forum)
Anyway I get this error at the web login page:
"Certificate Validation Failure"
And when debugging (Debug webvpn 255) at the ASA I get the message:
"Embedded CA Server not enabled. Logging out the user."
I did encounter this pain-in-the-ass-issue for the first time when I was testing the AnyConnect Client and the xml profile options, in my testlab.
At my main ASA, at which I (hopefully) will have this service running for my users, it actually works - now with the result that I do not dare to change anything, if it should not work afterwards.
The very strange thing to me is, my testlab is an exact copy of the setup that is working.
My testlab setup:
MS Domain (Enterprise 2003) counts 3 servers, DC/DNS, a CA server, no SubCAs only one Certificate Authority Server, and an IAS server to authenticate the credentials. On the CA server, I have made a duplicate of the RAS and IAS server certificate, which I plan to use for the Identity certificate on the ASA.
ASA5510 version 8.0(4) - it uses the IAS server for telnet and ASDM logins, so that part is working. Also, when setting the Anyconnect Connection Profile to use only AAA to authenticate it is working.
I have tried many times, making new ADs, cleared all config on ASA, set it up from the beginning. Everytime stuck with the certificate validation failure.
I use to manually enroll the certificates on the ASA through the CLI, but have also tried using SCEP. Same result.
Also, when installing certificates on the ASA, I have tried first making one trustpoint for the CA certificate, authenticated succesfully, then making another trustpoint for the Identity certificate, also authenticated succesfully with the CA certificate, and enrolled and imported successfully the duplicate certificate at my CA. Also tried, as this configuration example shows -> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml#step2 - to only make one trustpoint for both certificates.
No matter what I do, I still get that error message.
I have checked the clock numerous times in both the AD and on the ASA - it is correct. Also checked the valid period for all certificates (in the details for the certificates) - it is also correct.
I see NO ERROR messages anywhere but when trying to login at the web login page and through the AnyConnect Client version 2.3 or 2.4, doesn't matter.
I have attached some config output from the ASA. And if anyone should notice, and question, then, Yes - it is my plan to enable the SSLVPN service at the ASAs inside interface. I haven't attached any debug outputs while they all show the same message, "Embedded CA server not enabled...."
My client certificates are attached so please have a look if you can find any errors.
I want to only use the Machine certificate to authenticate the ASA, but just in case I have provided my client with a usercert too.
If you need more to help me out with this, please tell.