Had a case at a customer the other day where we are planing to start using machine certificate
to make the VPN more secure.
When we were testing we ran into a problem on two of our test computers.
When starting to connect to the VPN the Cisco Any Connect client failed with the error Certificate Validation Failure.
We started to look into the loogs in ASDM on the firewall but nothing showed up.
So did the client even get so long that it connected to the firewall? No!
So I started to look in the Windows event log and found Event ID: 36870
A fatal error occurred when attemting to access the SSL client credential private key.
The error code returned from the cryptograpic module is 0x8009030d. The internal error state is 10003.
When I started the Cisco Any Connect client as admin it worked.
So it seems that we are having a access error to the certificate.
The files we are having problem to access are stored in C:\ProgramData\Microsoft\Crypto\RSA
To be able to fix the access we first need to stop the Cryptographic Services
Start CMD as admin and run below text in an cmd file.
net stop CryptSvc
icacls MachineKeys /grant everyone:(OI)R
net start CryptSvc
Do not forget to update the profile.xml file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile with the new
one that tells the client to use the certificate before you enable the certificate requirements.
If the xml file is not updated no client will be able to connect.