Hello all,

We just upgraded to FortiClient 7.2.4 and having a strange issue, not sure if this is a bug or if there is some configuration change we can make to prevent this.   

We are using SAML login, but for some reason FortiClient keeps trying to use certificates that exist in the users personal certificate sore that are totally unrelated to our VPN.  We have never used certificate based authentication, its not even configured on the firewall.   But for some reason when we try to connect using SAML it fails and the log below is generated in the certificates log for Forticlient.   If i disable single sign-on and just connect with un/pw then it works fine and the certificate issue doesnt happen.

This is happening on a per-user basis, meaning that on the same computer with the same exact configuration if 2 different users try to use FortiClient it will work for 1 but not the other.   I found that the issue is related to certificates

existing in the User's personal certificate store.   If I move the certificates out of the personal store then the VPN start working as expected.   Obviously this is not a good solution as the certificates are needed for other software.

Need to figure out how to prevent FortiClient from trying these other random certificates that exist.

I explained some more symptoms of the issue here - https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Error-6005/td-p/303566

Searching CERTS_ENUM_SMARTCARDS

Looking for certs with and without pvt keys

Certificates_EnumTunnelCerts called. isSSL=1 includeLocations=65535 bMustHavePvtKey=0

Certificates_EnumTunnelCerts 490 sec_get_account_type()=520214896

Certificates_EnumTunnelCerts 493 sec_get_user_type()=0

Certificates_EnumTunnelCerts shadow_mode_enabled=502

Certificates_EnumTunnelCerts - looking in user store.

Certificates_EnumTunnelCerts - not looking in computer store.

Certificates_EnumTunnelCerts - looking on smartcards.

Certificates_EnumTunnelCerts call Certificates_LoadFilters

Certificates_LoadFilters tunnelName=3a7a5770, isSSL=1 &filters=000000E833BFCB70, &nFilters=000000E833BFCB78

Certificates_LoadFilters Open software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN

Certificates_LoadFilters Opened software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN

Searching CERTS_ENUM_USER_STORE

Looking for certs with and without pvt keys

Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" has OIDs:

  2.5.29.15

  2.5.29.19

Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" - ACCEPT

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" has OIDs:

  2.5.29.15

  2.5.29.19

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" - ACCEPT

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" has OIDs:

  2.5.29.15

  2.5.29.19

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" - ACCEPT

Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" has OIDs:

  2.5.29.15

  2.5.29.19

Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" - ACCEPT

Searching CERTS_ENUM_SMARTCARDS

Looking for certs with and without pvt keys

Certificates_GetCertificateFromJSON 753

Certificates_GetCertificateFromJSON 762

Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16

Certificates_GetCertificateFromJSON 775 source=1

Certificates_GetCertificateFromJSON 781

Certificates_GetCertificate 612 hStoreHandle=000002645940A0F0

Certificates_GetCertificate 727 bFoundCert=1

Certificates_GetCertificateFromJSON 753

Certificates_GetCertificateFromJSON 762

Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16

Certificates_GetCertificateFromJSON 775 source=1

Certificates_GetCertificateFromJSON 781

Certificates_GetCertificate 612 hStoreHandle=0000026459427020

Certificates_GetCertificate 727 bFoundCert=1