Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
voipdoug
New Contributor II

FortiClient/FortiClientEMS IPSec User Certificate Issues

I've my own CA issuing authority and we're running EMS 1.0.2 and running FortiClient 5.4.1. In a Lab we can get the Machine Cert to be discovered only when we make the local user able to "read-only" the machine root cert, hwoever we don't want that we want the IPSec to use the user Certificate however the FortiClient does not seem to be finding the AD Deployed via GPO Windows User Certificates in their local store. 

 

I have all my Certificates in order, its just that the FortiClient is not finding the locally pushed user Certificate. Is any one having similar issues? 

2 REPLIES 2
Holy
Contributor

My customers have the Issue that he want to use VPN Before Logon, with Windows Credentials but he always have to choose the right Certificate because FortiClient somehnow cannot save it and dont ask again for the Certifikate.

 

Is it possible for FortiClient managed by an EMS to somehow configure it to ask only once for certificate and then save it?

 

is it possible to Login to SSL VPN with Windows Credentials and without having entering a password each time?

 

Thanks

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
burtmianus
New Contributor

We're using user based certificate authentication for our Forticlient connections, our Windows CA is dishing out certificates from a slightly modified template. I copied the "Client Server Authentication" policy and edited the expiry, private key export etc. to match what we needed, but this one shows up and works fine for authentication. I'd hazard a guess that the certificate you are dishing out doesn't have "Client Authentication" set.

 

Or - if you look in the XML of the config file there is:

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

 

if you have <use_win_current_user_cert>1</use_win_current_user_cert> set to 0 not 1 then it will not show any certificates from the user's local store. we have set ours:

 

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>0</use_win_local_computer_cert>

 

so it only displays user certificates.

 

hope some of that helps.

 

Dont forget to setup the CRL too and modify the refresh timer!

Labels
Top Kudoed Authors