Cisco Any Connect Certificate Validation Failure.

Had a case at a customer the other day where we are planing to start using machine certificate
to make the VPN more secure.
When we were testing we ran into a problem on two of our test computers.

When starting to connect to the VPN the Cisco Any Connect client failed with the error Certificate Validation Failure.

 

 

 

 

 

We started to look into the loogs in ASDM on the firewall but nothing showed up.
So did the client even get so long that it connected to the firewall? No!

So I started to look in the Windows event log and found Event ID: 36870

A fatal error occurred when attemting to access the SSL client credential private key.
The error code returned from the cryptograpic module is 0x8009030d. The internal error state is 10003.

 

 

 

 

 

 

 

When I started the Cisco Any Connect client as admin it worked.
So it seems that we are having a access error to the certificate.

The files we are having problem to access are stored in C:\ProgramData\Microsoft\Crypto\RSA
To be able to fix the access we first need to stop the Cryptographic Services

Solution:

Start CMD as admin and run below text in an cmd file.

——————————————————

net stop CryptSvc

cd C:\ProgramData\Microsoft\Crypto\RSA

icacls MachineKeys /grant everyone:(OI)R

net start CryptSvc

——————————————————

PS !
Do not forget to update the profile.xml file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile with the new
one that tells the client to use the certificate before you enable the certificate requirements.
If the xml file is not updated no client will be able to connect.

This entry was posted in Scripting, Security, Windows 7. Bookmark the permalink.

3 Responses to Cisco Any Connect Certificate Validation Failure.

  1. Salman says:

    Hi Can you explain this a bit in detail

    “PS !
    Do not forget to update the profile.xml file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile with the new
    one that tells the client to use the certificate before you enable the certificate requirements.
    If the xml file is not updated no client will be able to connect.”

  2. Salman says:

    Sorry forget to mention , I am using Win 10.

    Error also given below
    “No valid certificates available for authentication”

  3. Christoffer Steding says:

    Hi Salman
    If you just activate the certificate requirement in the ASA and the clients has not been given a chans to update the profile xml file where it says that it should use the certificate to authenticate the computer can not connect to vpn

    You can distribute the xml file from the ASA or SCCM or GPO
    When the client connects using VPN it will download a new vpn profile when there is new.
    – So step one create a new VPN profile in the ASA
    – Distribute the profile xml file
    – Using SCCM , GPO or have client download it from the ASA next time they connect.

    Remember to test and test and test the solution before you implement it for all users.

Leave a Reply

Your email address will not be published. Required fields are marked *