Hello all,
We just upgraded to FortiClient 7.2.4 and having a strange issue, not sure if this is a bug or if there is some configuration change we can make to prevent this.
We are using SAML login, but for some reason FortiClient keeps trying to use certificates that exist in the users personal certificate sore that are totally unrelated to our VPN. We have never used certificate based authentication, its not even configured on the firewall. But for some reason when we try to connect using SAML it fails and the log below is generated in the certificates log for Forticlient. If i disable single sign-on and just connect with un/pw then it works fine and the certificate issue doesnt happen.
This is happening on a per-user basis, meaning that on the same computer with the same exact configuration if 2 different users try to use FortiClient it will work for 1 but not the other. I found that the issue is related to certificates
existing in the User's personal certificate store. If I move the certificates out of the personal store then the VPN start working as expected. Obviously this is not a good solution as the certificates are needed for other software.
Need to figure out how to prevent FortiClient from trying these other random certificates that exist.
I explained some more symptoms of the issue here - https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Error-6005/td-p/303566
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_EnumTunnelCerts called. isSSL=1 includeLocations=65535 bMustHavePvtKey=0
Certificates_EnumTunnelCerts 490 sec_get_account_type()=520214896
Certificates_EnumTunnelCerts 493 sec_get_user_type()=0
Certificates_EnumTunnelCerts shadow_mode_enabled=502
Certificates_EnumTunnelCerts - looking in user store.
Certificates_EnumTunnelCerts - not looking in computer store.
Certificates_EnumTunnelCerts - looking on smartcards.
Certificates_EnumTunnelCerts call Certificates_LoadFilters
Certificates_LoadFilters tunnelName=3a7a5770, isSSL=1 &filters=000000E833BFCB70, &nFilters=000000E833BFCB78
Certificates_LoadFilters Open software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Certificates_LoadFilters Opened software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Searching CERTS_ENUM_USER_STORE
Looking for certs with and without pvt keys
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" - ACCEPT
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" - ACCEPT
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=000002645940A0F0
Certificates_GetCertificate 727 bFoundCert=1
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=0000026459427020
Certificates_GetCertificate 727 bFoundCert=1
Can you share the specific certificate error. My guess is that you imported the ssl inspection certificate from the gate a while back when not in 7.4...into your machine , hence no errors prior. Then you updated the gate, new cert was generated and you have not trusted that on your pc. Just a hunch.
I can confirm that issue. Same issue with saml (Azure) login. FortiClient connects to 40% then ask for smartcard but doesn't accept one (we use smartcard for windows login).
No more requests for smartcard after rollback to 7.2.3. (so, seems not to be an server issue)
Smartcard needed (but only on some systems in the company) when upgrade to 7.2.4 again
Error shown in FortiClient:
The exact error is: FortiClient The server you want to connect to requests identification, please choose a certificate and try again. (- "6005)"
We did not update our FortiGate, the FortiGate has remained on the same version (7.0.3).
We were previously running FortiClient 7.0.2.090 and SAML login was working fine.
After installing FortiClient 7.2.4.0972 SAML throws a certificate error for any user that has certificates in their Personal Certificate store. It doesn't matter if the certificate in the Personal Certificate store is for Adobe, Exchange, or anything else, FortiClient seems to be trying it and picking it up. If I manually remove all certificates from the Personal Certificates store for the user then it works correctly, but obviously that breaks their other software.
Pretty sure it is a bug, even though certificate-based authentication is not enabled, it still seems to be searching for and trying the certificates from the Personal Certificates store.
Wondering if there is a way to disable the certificate based authentication altogether in FortiClient. Certificate Authentication is already disabled on the FortiGate.
Hello,
Have you found a solution for this please ?
Regards
Rakesh
I encountered the same issue after updating to 7.2; I was able to get connection to complete when I selected my personal certificate.
It looks as though zero trust may be baked into the latest version of the FortiClient.
My question is how do we get the connection to work if client certificate is not enabled for the SSL-VPN settings on the FortiGate?
First workaround:
I delete any user certificate except fct.... and our AD internal certificate from my usercertificates mmc
There were some from adobe - don't know why...
Afterwords login works without user cerificate request
Checked mine, exact same scenario. Personal certificate store had my personal cert for encryption, an Admin Center cert and about 8 from Adobe. I don't know where the Adobe ones came from either, but removing just those eight appears to have taken care of the problem.
Question is how I apply this solution to all the user devices with the least amount of administrative overhead or user interaction required.
What if the certificates are being used for the software? Like the Adobe certificates are probably tied to a digital signature for that user.
Deleting the certificates from the personal store is a workaround that has other potential side-effects.
The correct solution would be to fix the bug that is causing FortiClient to keep trying every personal certificate even when its configured not to.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.