Description
This article describes how to configure FortiClient with a user certificate to enable SSL VPN. It includes screenshots of how to modify Microsoft certificate storage to correctly accept Local Machine certificate storage.
The purpose of this KB is to eliminate the Windows 8.0 and 8.1 errors where once the computer is rebooted build-in Administrator group does not have sufficient rights to access imported certificates that are stored under the Local Machine certificate. This error is not seen if Current user certificate storage is used.
Scope
FortiClient on Windows 8.0 and Windows 8.1.
Solution
1. Import user or device certificate and store it under "Local Machine" certificate store.
2. Configure FortiClient SSL VPN with client certificate access and choose computer account imported certificate.
3. Log in to SSL VPN with provided username and password. Before the computer is rebooted FortiClient VPN will work without problems.
Once the computer is rebooted a VPN is initiated and the following error message is shown:
4. To address this problem a new Dedicated group or direct user who will be using this VPN needs to be added with at least Read permissions for imported certificate private key. To perform this Computer account certificate snap-in module needs to be added into Microsoft Management Console (mmc). By default, Administrators group is already linked as member but all users from this group are ignored.
On the following image the dedicated user admin_fortinet is added with read permissions to imported certificate.
5. Once the dedicated user or group is added with certificate permissions VPN can be initiated without problems after machine reboot.