- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Forticlient 7.2.4 trying to use certificates w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient 7.2.4 trying to use certificates when not configured
Hello all,
We just upgraded to FortiClient 7.2.4 and having a strange issue, not sure if this is a bug or if there is some configuration change we can make to prevent this.
We are using SAML login, but for some reason FortiClient keeps trying to use certificates that exist in the users personal certificate sore that are totally unrelated to our VPN. We have never used certificate based authentication, its not even configured on the firewall. But for some reason when we try to connect using SAML it fails and the log below is generated in the certificates log for Forticlient. If i disable single sign-on and just connect with un/pw then it works fine and the certificate issue doesnt happen.
This is happening on a per-user basis, meaning that on the same computer with the same exact configuration if 2 different users try to use FortiClient it will work for 1 but not the other. I found that the issue is related to certificates
existing in the User's personal certificate store. If I move the certificates out of the personal store then the VPN start working as expected. Obviously this is not a good solution as the certificates are needed for other software.
Need to figure out how to prevent FortiClient from trying these other random certificates that exist.
I explained some more symptoms of the issue here - https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Error-6005/td-p/303566
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_EnumTunnelCerts called. isSSL=1 includeLocations=65535 bMustHavePvtKey=0
Certificates_EnumTunnelCerts 490 sec_get_account_type()=520214896
Certificates_EnumTunnelCerts 493 sec_get_user_type()=0
Certificates_EnumTunnelCerts shadow_mode_enabled=502
Certificates_EnumTunnelCerts - looking in user store.
Certificates_EnumTunnelCerts - not looking in computer store.
Certificates_EnumTunnelCerts - looking on smartcards.
Certificates_EnumTunnelCerts call Certificates_LoadFilters
Certificates_LoadFilters tunnelName=3a7a5770, isSSL=1 &filters=000000E833BFCB70, &nFilters=000000E833BFCB78
Certificates_LoadFilters Open software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Certificates_LoadFilters Opened software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Searching CERTS_ENUM_USER_STORE
Looking for certs with and without pvt keys
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" - ACCEPT
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" - ACCEPT
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=000002645940A0F0
Certificates_GetCertificate 727 bFoundCert=1
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=0000026459427020
Certificates_GetCertificate 727 bFoundCert=1
Labels:
- Labels:
-
FortiClient
28 REPLIES 28
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same issue here.
In our case the certs are used by our developers and we cannot delete them.
The only thing that might be related to this is that 2 weeks agos I did some testing with Cert authentication on the Fortigate, but deleted everything related to these testing since then, and rebooted the fortigate as well. Could it be possible that the fortigate is configuring an option that is not obvious to see and that is still in our config ?
Is this the case for some of you ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also DavidAno did you find a workaround for this ?
We opened a ticket yesterday with Fortinet. Let's see how it goes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same exact issue here :( Just upgraded to 7.2.4 and getting the same error. There were no certs though in the user store so not sure where to go from here :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exact same issue and even by rolling back to 7.2.3.0929 did not fix the issue of all our machines. For now if we are lucky we can select any certificate and this seems to work for now.
=> Fortinet, please release a fix very quickly as we have many users impacted
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Submitting a ticket with Fortinet Support, help me resolve the issue.
Originally I was using 7.0.9, so uninstalled the latest release ( 7.2.4) and rolled back to 7.0.11. The connection is being established as before (no certificate required)
Mind you, since I 'm using the free version of the FortiClient is support is limited. Hopefully someone using the paid version will open a ticket and get a better solution to this certificate problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just sent my logs to support. Let's see what they will tell me. I'll post a response here
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I send my logs a week before now - waiting for response
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same issue. We also have the problem that the reconnect no longer works. When we lost the connection we have an Connection-Loop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I heard back from TAC today. They are aware of the issue and are working on the fix. The workaround is to move user certificates from the user personal store to the trusted root authority store.
I'd like to thanks the participants of this thread for providing a workaround to the issue, this is a frustrating one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having the same issue. Rolled back to 7.2.3 to fix it for now.
Related Posts
Labels
-
FortiGate
6,675 -
FortiClient
1,329 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.