Hello all,
We just upgraded to FortiClient 7.2.4 and having a strange issue, not sure if this is a bug or if there is some configuration change we can make to prevent this.
We are using SAML login, but for some reason FortiClient keeps trying to use certificates that exist in the users personal certificate sore that are totally unrelated to our VPN. We have never used certificate based authentication, its not even configured on the firewall. But for some reason when we try to connect using SAML it fails and the log below is generated in the certificates log for Forticlient. If i disable single sign-on and just connect with un/pw then it works fine and the certificate issue doesnt happen.
This is happening on a per-user basis, meaning that on the same computer with the same exact configuration if 2 different users try to use FortiClient it will work for 1 but not the other. I found that the issue is related to certificates
existing in the User's personal certificate store. If I move the certificates out of the personal store then the VPN start working as expected. Obviously this is not a good solution as the certificates are needed for other software.
Need to figure out how to prevent FortiClient from trying these other random certificates that exist.
I explained some more symptoms of the issue here - https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Error-6005/td-p/303566
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_EnumTunnelCerts called. isSSL=1 includeLocations=65535 bMustHavePvtKey=0
Certificates_EnumTunnelCerts 490 sec_get_account_type()=520214896
Certificates_EnumTunnelCerts 493 sec_get_user_type()=0
Certificates_EnumTunnelCerts shadow_mode_enabled=502
Certificates_EnumTunnelCerts - looking in user store.
Certificates_EnumTunnelCerts - not looking in computer store.
Certificates_EnumTunnelCerts - looking on smartcards.
Certificates_EnumTunnelCerts call Certificates_LoadFilters
Certificates_LoadFilters tunnelName=3a7a5770, isSSL=1 &filters=000000E833BFCB70, &nFilters=000000E833BFCB78
Certificates_LoadFilters Open software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Certificates_LoadFilters Opened software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN
Searching CERTS_ENUM_USER_STORE
Looking for certs with and without pvt keys
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" - ACCEPT
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" - ACCEPT
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" has OIDs:
2.5.29.15
2.5.29.19
Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" - ACCEPT
Searching CERTS_ENUM_SMARTCARDS
Looking for certs with and without pvt keys
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=000002645940A0F0
Certificates_GetCertificate 727 bFoundCert=1
Certificates_GetCertificateFromJSON 753
Certificates_GetCertificateFromJSON 762
Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16
Certificates_GetCertificateFromJSON 775 source=1
Certificates_GetCertificateFromJSON 781
Certificates_GetCertificate 612 hStoreHandle=0000026459427020
Certificates_GetCertificate 727 bFoundCert=1
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Having the same issue. Rolled back to 7.2.3 to fix it for now.
It is a known issue : 1008116
Fix Schedule: 7.2.5, 7.4.0
When to Expext?
This is still occurring with 7.2.8 on a 40F and with 7.0.14 on a 120G
There's a special build of FortiClient that TAC gave me after I opened a ticket on this that resolves the issue.
OK Good news. Any idea if that build will be realesed soon or we all have to contact TAC?
They didn't give me an ETA on general release. I got this a couple of weeks ago, so it's probably worth opening a ticket on rather than waiting if you are in need of it.
In case anyone is interested, I downloaded the "Online Installer" of FortiClient VPN from the following site, and then run it in "Repair" mode, that seems to have solved the issue.
Hi,
Could you share the link to that fixed version?
Any news?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.