Skip to main content
kgeorge
Staff
kgeorge
Staff
December 22, 2025

Technical Tip: ZTNA access denied: No ZTNA client certificate was provided

  • December 22, 2025
  • 0 replies
  • 1026 views
Description

 

This article describes the issue of ZTNA access being denied due to 'No ZTNA client certificate was provided'.

 

No ZTNA Certificate.jpg

 

Scope

 

FortiGate, FortiClient EMS.

 

Solution

 

To resolve the issue of ZTNA access being denied due to no ZTNA client certificate being provided, follow these steps:

  1. As a first step, user verification should be removed. Once done, unregister the endpoint and then re-register it. Re-verify the user to test if the same issue occurs.
    To remove the verified users, refer to this document: Verified Users.
    To unregister the endpoint, refer to this document: Disconnecting and connecting endpoints.
    To register, add the user back, and to verify, refer to this document - Invitations.

  2. If the issue persists, deregister the endpoint again and mark it as uninstalled.

  3. On the endpoint side, uninstall FortiClient and use FCremove.exe to wipe the system clean. Instructions for this process can be found in the KB article: Technical Tip: How to download FortiClient and FCRemove.exe from support.fortinet.com.

  4. Reboot the system and install the latest stable FortiClient version, and connect it to FortiClient EMS.

  5. Try accessing the Zero Trust Network Access (ZTNA) destination.

  6. If the issue persists, collect the following details from the FortiGate and submit a support ticket to the Fortinet TAC Team for further investigation.

 

diagnose test application fcnacd 7
diagnose test application fcnacd 14
diagnose test application fcnacd 8
diagnose test application fcnacd 15
diagnose test application fcnacd 16
diagnose wad worker policy list
diagnose debug en
diagnose test app wad 2200
diagnose test app wad 101

diagnose wad filter src x.x.x.x <--- Replace x.x.x.x with the Public IP of the Endpoint.
diagnose wad debug enable all

diagnose wad debug enable level verbose
diagnose debug console time en
diagnose debug enable

 

It is recommended to use SSH software like PuTTY to gather the above debugs, as WAD debugs are extensive and not all details can be captured within the built-in CLI Console of FortiGate. Refer to this KB article to know more about using Putty to capture the command outputs: Technical Tip: How to create a log file of a session using PuTTY.

 

Related articles:

Technical Tip: FortiClient ZTNA access denied to certain PCs

Technical Tip: How to create a ticket for Fortinet TAC 

Terms & ConditionsAccessibility statement