Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2664
Views
0
Helpful
5
Replies

AnyConnect machine certificate validation error

Charles Dahlgren
Level 1
Level 1

‎07-25-2014 04:32 AM - edited ‎02-21-2020 07:45 PM

Hi,

I'm trying to get certificate authentication to work for AnyConnect (3.1.02040) using already existing certificates in the machine store (Windows 7 clients).

I get the choose certificate prompt, but when I choose the correct certificate I just get a "Certificate validation failure" error.

So I tried and install a certificate from my lab CA - also in the machine store. And that worked as a charm.

When comparing the logs from DART - I see the following error message from the non-working certificate:

******************************************

Date        : 07/25/2014
Time        : 11:39:02
Type        : Error
Source      : acvpnui

Description : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1146
Invoked Function: HttpSendRequest
Return Code: 12186 (0x00002F9A)
Description: WINDOWS_ERROR_CODE

******************************************

After googling I found someon explaining the error code as:

"This is a WinInet/WinHttp error 12xxx will always be one of these.

what it means is you don't have the rights to access the private key for this Client certificate."

Is this correct, and in that case how do I fix the access rights for the certificate?

Thanks,

Charlie 

Labels:
0 Helpful
5 Replies 5

nkarthikeyan
Level 7
Level 7

‎07-25-2014 04:41 AM

Hi ,

 

Does your workstation has adminstration rights? If so you need to execute with admin access to do so....

 

Regards

Karthik

0 Helpful

Charles Dahlgren
Level 1
Level 1
In response to nkarthikeyan

‎07-25-2014 05:12 AM

This was my first idea as well, however the new certificate works both with standard user right and of course admin - however the old certificate doesn't work either way.

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Charles Dahlgren

‎07-25-2014 05:16 AM

Hi Clarlie,

Hmmm.... Very strange....  But when you check the old certificate information like the validity / vendor / trusted CA's something related to cert... do you see any issue or compatability issue? or not matching with the trusted one's?

 

Regards

Karthik

0 Helpful

Charles Dahlgren
Level 1
Level 1
In response to nkarthikeyan

‎07-25-2014 05:34 AM

I've started to look through the certificates again now and stumbled across the "Manage private keys.."-option.

The working certificate had a SID with read rights besides the system and administrator rights. So I tried just adding read rights for the domain users group to the old certificate, and it just started working!

Which is weird since it didn't work regardless of running AnyConnect as admin or not. Well well, at least it works. Thanks for taking the time Karthik!

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Charles Dahlgren

‎07-25-2014 05:55 AM

Hi Charlie,

 

Great to hear at last it works!!!

Because the certificates in new devices / systems has such compatability or some junk issues with older ones......

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents