Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Forticlient 7.2.4 trying to use certificates w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient 7.2.4 trying to use certificates when not configured
Hello all,
We just upgraded to FortiClient 7.2.4 and having a strange issue, not sure if this is a bug or if there is some configuration change we can make to prevent this.
We are using SAML login, but for some reason FortiClient keeps trying to use certificates that exist in the users personal certificate sore that are totally unrelated to our VPN. We have never used certificate based authentication, its not even configured on the firewall. But for some reason when we try to connect using SAML it fails and the log below is generated in the certificates log for Forticlient. If i disable single sign-on and just connect with un/pw then it works fine and the certificate issue doesnt happen.
This is happening on a per-user basis, meaning that on the same computer with the same exact configuration if 2 different users try to use FortiClient it will work for 1 but not the other. I found that the issue is related to certificates
existing in the User's personal certificate store. If I move the certificates out of the personal store then the VPN start working as expected. Obviously this is not a good solution as the certificates are needed for other software.
Need to figure out how to prevent FortiClient from trying these other random certificates that exist.
I explained some more symptoms of the issue here - https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Error-6005/td-p/303566
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_EnumTunnelCerts called. isSSL=1 includeLocations=65535 bMustHavePvtKey=0
Certificates_EnumTunnelCerts 490 sec_get_account_type()=520214896
Certificates_EnumTunnelCerts 493 sec_get_user_type()=0
Certificates_EnumTunnelCerts shadow_mode_enabled=502
Certificates_EnumTunnelCerts - looking in user store.
Certificates_EnumTunnelCerts - not looking in computer store.
Certificates_EnumTunnelCerts - looking on smartcards.
Certificates_EnumTunnelCerts call Certificates_LoadFilters
Certificates_LoadFilters tunnelName=3a7a5770, isSSL=1 &filters=000000E833BFCB70, &nFilters=000000E833BFCB78
Certificates_LoadFilters Open software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Certificates_LoadFilters Opened software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Searching CERTS_ENUM_USER_STORE
Looking for certs with and without pvt keys
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" - ACCEPT
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" - ACCEPT
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=000002645940A0F0
Certificates_GetCertificate 727 bFoundCert=1
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=0000026459427020
Certificates_GetCertificate 727 bFoundCert=1
Labels:
- Labels:
-
FortiClient
39233
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
30 REPLIES 30
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same issue, definitely a bug that needs to be resolved by Fortinet.
Deleting only the Adobe personal certificates was enough as a workaround (we have kept other certificates and have no problems).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same issue here.
In our case the certs are used by our developers and we cannot delete them.
The only thing that might be related to this is that 2 weeks agos I did some testing with Cert authentication on the Fortigate, but deleted everything related to these testing since then, and rebooted the fortigate as well. Could it be possible that the fortigate is configuring an option that is not obvious to see and that is still in our config ?
Is this the case for some of you ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also DavidAno did you find a workaround for this ?
We opened a ticket yesterday with Fortinet. Let's see how it goes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same exact issue here :( Just upgraded to 7.2.4 and getting the same error. There were no certs though in the user store so not sure where to go from here :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exact same issue and even by rolling back to 7.2.3.0929 did not fix the issue of all our machines. For now if we are lucky we can select any certificate and this seems to work for now.
=> Fortinet, please release a fix very quickly as we have many users impacted
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Submitting a ticket with Fortinet Support, help me resolve the issue.
Originally I was using 7.0.9, so uninstalled the latest release ( 7.2.4) and rolled back to 7.0.11. The connection is being established as before (no certificate required)
Mind you, since I 'm using the free version of the FortiClient is support is limited. Hopefully someone using the paid version will open a ticket and get a better solution to this certificate problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just sent my logs to support. Let's see what they will tell me. I'll post a response here
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I send my logs a week before now - waiting for response
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same issue. We also have the problem that the reconnect no longer works. When we lost the connection we have an Connection-Loop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I heard back from TAC today. They are aware of the issue and are working on the fix. The workaround is to move user certificates from the user personal store to the trusted root authority store.
I'd like to thanks the participants of this thread for providing a workaround to the issue, this is a frustrating one.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,431 -
FortiClient
1,703 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
543 -
FortiSwitch
456 -
FortiAP
456 -
6.0
416 -
FortiClient EMS
405 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
211 -
FortiWeb
199 -
5.0
196 -
IPsec
183 -
FortiNAC
175 -
FortiGuard
135 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1645 | |
| 1070 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.