We had a PC with a working Forticlient setup that recently stopped working. It gets stuck at 40% with the error "The server you want to connect to request identification, please chose a certificate and try again (-5)." I've read all over the forum and I've already tried:
- Ensured Internet Options have TLS 1.0, 1.1 and 1.2 enabled.
- Uninstalled and reinstalled Forticlient using latest versions (7.01.0083)
- Tried to restore previously know good configuration
- Ensured there is no "hidden window" for certificate authorization*
The same credentials work on other PCs so the issue seems to be on one PC (have a second PC with similar symptoms but haven't triaged that one yet). From the "bad" PC, we've tried accessing multiple gateways, all get the same error. So there seems to be something awry with this PC. As far as I know we don't use any certificates, at least nothing didn't come preinstalled. It is possible when the problem first showed up that there was a popup window and we hit accidentally hit "no" on the certificate authorization, but I would have figured a clean uninstall / reinstall would have cleared that flag. It is almost like this PC corrupted itself in a way a fresh install didn't fix.
Any suggestions would be appreciated. We're at a loss here.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you using LDAP or Local?
If LDAP you can try reset the password and try again.
Usually this is because of incorrect credential.
Hey MFahmi,
FYI, the same credentials work on at least three other machines (but we did reset the password anyway to no effect). There is something on this one PC that is somehow broken. The FortiClient VPN was used on a nearly daily basis for 2-3 years without issue, broke a few days ago, and hasn't worked since even with successive uninstall / install of FortiClient (with reboots in between for good measure), restoring configs from old working and from external machines, debug settings, etc.
The original error reported certificate issues, which from reading are sometimes masked as TLS version support issues. So I think I'm looking for something that could result in the same "certificate error" message from FortiClient, or some way the certificate is corrupted on this one machine.
Or I'm utterly confused, which is a nonzero possibility too.
John
So, having the same issue with multiple WIndows 11 machines. Background:
Use FGTs, 6.4.8 firmware. Forticlients ranging from 6.4.7 to 7.0.2.
Affected machines are running Windows 11. They all run well for a month or so, then after a random update cycle, the Forticlient stalls at 40% with no successful connections from that point on. Again, this isn't a random subset of Windows 11, this is ALL 3 machines that have been running Windows 11 (two were 10 to 11 upgrades, and my test machine is a clean install from ISO).
This was noted in the security logs:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {<redacted>}
EventID 5061
Version 0
Level 0
Task 12290
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2022-05-25T00:14:05.5675258Z
EventRecordID 885204
Correlation
- Execution
[ ProcessID] 1124
[ ThreadID] 8564
Channel Security
Computer <redacted>
Security
- EventData
SubjectUserSid S-1-5-21-<redacted>
SubjectUserName karnold
SubjectDomainName <redacted>
SubjectLogonId 0x102e73
ProviderName Microsoft Software Key Storage Provider
AlgorithmName RSA
KeyName te-VPNUser-<redacted>
KeyType %%2500
Operation %%2480
ReturnCode 0x80090016
As for the Fortigate logs:
[280:root:1af]allocSSLConn:297 sconn 0x7f9fe63f00 (0:root)
[280:root:1af]SSL state:before SSL initialization (<redacted>)
[280:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[280:root:1af]SSL_accept failed, 5:(null)
[280:root:1af]Destroy sconn 0x7f9fe63f00, connSize=6. (root)
[281:root:1af]allocSSLConn:297 sconn 0x7f9fe79b00 (0:root)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]SSL state:before SSL initialization (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[281:root:1af]client cert requirement: yes
[281:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[281:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[281:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[281:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[281:root:1af]SSL_accept failed, 5:(null)
[281:root:1af]Destroy sconn 0x7f9fe79b00, connSize=5. (root)
[282:root:1af]allocSSLConn:297 sconn 0x7fa0a1f600 (0:root)
[282:root:1af]SSL state:before SSL initialization (<redacted>)
[282:root:1af]SSL state:before SSL initialization:DH lib(<redacted>)
[282:root:1af]SSL_accept failed, 5:(null)
[282:root:1af]Destroy sconn 0x7fa0a1f600, connSize=1. (root)
[283:root:1af]allocSSLConn:297 sconn 0x7f9fdc0a00 (0:root)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]SSL state:before SSL initialization (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[283:root:1af]client cert requirement: yes
[283:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[283:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[283:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[283:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[283:root:1af]SSL_accept failed, 5:(null)
[283:root:1af]Destroy sconn 0x7f9fdc0a00, connSize=1. (root)
[284:root:1af]allocSSLConn:297 sconn 0x7f9fddcf00 (0:root)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]SSL state:before SSL initialization (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write change cipher spec (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]got SNI server name: vpn-aus.<redacted> realm (null)
[284:root:1af]client cert requirement: yes
[284:root:1af]SSL state:SSLv3/TLS read client hello (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write server hello (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write encrypted extensions (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate request (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write certificate (<redacted>)
[284:root:1af]SSL state:TLSv1.3 write server certificate verify (<redacted>)
[284:root:1af]SSL state:SSLv3/TLS write finished (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data (<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:system lib(<redacted>)
[284:root:1af]SSL state:TLSv1.3 early data:DH lib(<redacted>)
[284:root:1af]SSL_accept failed, 5:(null)
[284:root:1af]Destroy sconn 0x7f9fddcf00, connSize=0. (root)
[285:root:1ae]allocSSLConn:297 sconn 0x7f9fd53100 (0:root)
[285:root:1ae]SSL state:before SSL initialization (<redacted>)
[285:root:1ae]SSL state:before SSL initialization:DH lib(<redacted>)
[285:root:1ae]SSL_accept failed, 5:(null)
[285:root:1ae]Destroy sconn 0x7f9fd53100, connSize=0. (root)
Did you look behind the FortiClient window for a "pop-under" with the cert warning?
No pop-ups. Goes to 40%, stalls, fails with the error:
The server you want to connect to requests identification, please choose a certificate and try again. (-5).
certificate was working prior to the updates, and you can see clearly in the login page it is selected.
Hi Karnold,
I've been watching your posts with interest, but I don't have anything useful to add. I managed to get my computer up/running with the original OEM OS, but after installing the first update, forticlient goes back to 40% "please chose a certificate" error. Previously I'd been running fine for years and kept up to date with the latest OS updates until this issue happened.
If you do find a solution, please post it and let us (me) know. Thanks!
hi there
same here, since yesterday afternoon the same issue. We can't login in our SSL VPN. I found out it has something to do with our domain users on our devices. If I login with an local user on the same notebook, it works. Maybe a policy, but can't figure which...
Were you guys able to fix this? We´re having the same issue with the only person in our organization that is using Windows 11.
Hi ThiOliveria,
No, I have not found any real solution. When I reinstalled the OEM windows environment, Forticlient logged in without any issues as it had done for years earlier. However, the first windows update patch broke it again with the same error (40% progress, bad certification error). Unfortunately, the first update is a big one and hard to "back out" that patch without reinstalling the entire OS, so I've kept the machine alive living on the OEM image with all of its foibles.
I try to monitor the postings looking for a fix, but so far I've not see anything. Please share if you find any leads.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.