Cisco AnyConnect Secure Mobility Client selecting wrong certificate at startup

Unanswered Question
Feb 28th, 2012

I have a problem that is driving me nuts.

Here is the pertinent information first...

Windows 7

Cisco AnyConnect SecureMobility Client 3.0.4235

Cisco ASA 5510 firewall 8.2

The problem is..

...When I log in, the client does its start-up bit, and then displays a "This certificate is intended for the following purpose(s):" message.  If I decline the certificate, it gives me the error message shown in the image, but I can otherwise continue and establish my VPNs with no problem. 

Unfortunately, the certificate it selects has nothing to do with my organization  ( in fact, the certificate is for "*.whitepages.com"  - see images).  To make matters worse, I can not find this referenced certificate anywhere under my user context in Windows.

I have tried removing, rebooting, and re-installing - it does no good.

How do I force the client to stop using this incorrect certificate, and to at least use one that belongs to my organization? 

Thank you,

Charles

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
kmackinnon0075 Fri, 05/04/2012 - 09:54

I have the same issue, al;most exactly - the only difference is that I am using version 2.5.3055 of the AnyConnect client.

When I try to connect to my VPN, I get the same *.whitepages.com certificate coming up, and whether I accept, decline or cancel, I am unable to connect. I CAN connect if I access my VPN using the webvpn link.

Hopefully someone finds a solution for this, because i have a lot of users that connect to my VPN.

Thanks,

bravotom99 Sun, 05/06/2012 - 08:03

Try editing the profile to look for the cert you want.  I have mine looking for certs with a certain ou.

kmackinnon0075 Mon, 05/07/2012 - 07:11

The issue does not seem to be with the user certificate, it seems to be with the site certificate. When I open the AnyConnect client, I have it set to ask which certificate to use. I select my certificate, but it is after that point where the error occurs, as if my ASA is sending out the *.whitepages.com certificate.

I have not made any changes to my certificates since February, and this issue only began on May 4th.

kmackinnon0075 Mon, 05/07/2012 - 07:59

After some more troubleshooting today, I tried a few more steops, and have been successful:

1) I removed my device certificate from the interfaces it was assigned to

2) I completely rebuilt my AnyConnect profile .xml file, and assigned it to the relevant group

3) I reenabled the device certificate on my interfaces.

Once thatw as done, my connections are working properly, and the issue with the *.whitepages.com certificate are gone.

I hope this hels someone else, because this drove me crazy for a few days.

Thanks,

Jason

kmackinnon0075 Tue, 05/08/2012 - 05:09

Another update to this issue:

The *.whitepages certificate has come back. It still only happens when I try to connect to my gateway by FQDN. If I use IP address, I don't have this problem. I have not been able to find any other peson who is experiencing this issue, but it's strange that we would both be having the problem with the same certificate name.

tortugiland Sun, 07/15/2012 - 04:09

Win7 32bit

Client 3.0.08057

ASA5510 8.4(4)1

I have almost the exact same issue. What I think happens is that the anyconnect client list the certificates that are in the user certificate store of the Windows 7 machine. Unfortunately it does display the already installed user certificate from the ASA. I got around this issue by adding Certificate Matching to my client Profile. I used the ISSUER-CN for matching. And now it works smoothly.

rpomerleau Thu, 08/09/2012 - 08:11

I've come across this issue also. I've put in values for Certificate Matching BUT it only applies AFTER the first login attempt. So the first login attempt, it will use the wrong cert, user logs out, then on the second login attempt it reads the newly downloaded connection profile, identifies the certificate matching value, and then denys the login unless the proper certificate is in place.

Actions

Login or Register to take actions

This Discussion

Posted February 28, 2012 at 5:48 AM
Stats:
Replies:7 Avg. Rating:
Views:1634 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard