We had a PC with a working Forticlient setup that recently stopped working. It gets stuck at 40% with the error "The server you want to connect to request identification, please chose a certificate and try again (-5)." I've read all over the forum and I've already tried:
- Ensured Internet Options have TLS 1.0, 1.1 and 1.2 enabled.
- Uninstalled and reinstalled Forticlient using latest versions (7.01.0083)
- Tried to restore previously know good configuration
- Ensured there is no "hidden window" for certificate authorization*
The same credentials work on other PCs so the issue seems to be on one PC (have a second PC with similar symptoms but haven't triaged that one yet). From the "bad" PC, we've tried accessing multiple gateways, all get the same error. So there seems to be something awry with this PC. As far as I know we don't use any certificates, at least nothing didn't come preinstalled. It is possible when the problem first showed up that there was a popup window and we hit accidentally hit "no" on the certificate authorization, but I would have figured a clean uninstall / reinstall would have cleared that flag. It is almost like this PC corrupted itself in a way a fresh install didn't fix.
Any suggestions would be appreciated. We're at a loss here.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I apologize on the necro-bump here, but it's been an outstanding issue. Opened a ticket with Fortigate, and they've pushed the issue back on us. The issue seems to be how Windows 11 stores its private keys. Instead of keeping them locally, they're stored in AD, and are periodically synced with the OS. If you don't check into AD for a period of time (or if your OS is patched) the keys require refreshing, and until they check back in, the cert won't work with Forticlient. Can't really blame Fortinet for the Microsoft change in behavior, but something needs to get changed to fix this issue, else we're blocked from Windows 11.
Upgraded from 6.4.8 to 6.4.9 FOS to fix a bug and am experiencing the same issue as described here. We are using SAML for login with no certificate requirement. Randomly has the error about the cert, sometimes saying VPN server unreachable, sometimes just stalls at 98% and silently fails. Open case with Fortinet but not sure where it will end-up.
Hi,
Did you ever get a reply from Fortinet?
We tried various client versions of the 6 and 7 branch, but could not find one that works reliably.
We found that if one repeats the connection attempts, one eventually gets connected.
Thank you
I Have the solution to this issue. Follow the step to fix stuck issues and share every one
installed offline forti client FortiClientVPNSetup_6.4.5.1657_x64 and try the stuck issue not coming after these steps.
I Have the solution to this issue. Follow the step to fix stuck issues and share every one
installed offline Forti client FortiClientVPNSetup_6.4.5.1657_x64 and try the stuck issue not coming after these steps.
I realize this is an old post, but I recently had a similar problem and I'll add my solution as it may benefit others. I'm running Forticlient version 7.2.4.0972 on Windows 11. The difference between this case and mine is that I received an unwanted certificate popup.
What solved the issue for me was deleting my personal certificates from the Windows certificate store. Even though I had not selected the option to authenticate with certificates, it appears that the Forticlient software was enforcing the certificate popup when it found certs in the Windows cert store. The only certs I needed to delete were in my "Personal" certificate store, and they were also visible in the certificate dropdown of the Forticlient VPN setup interface. When I deleted the certs, they were no longer visible in the setup dropdown and the authentication completed successfully.
I believe this is a bug, and I hope it gets fixed in future releases.
Amazing, thank you so much for this. I wish Fortinet wolud communicate this fix to customers so we don't have to rely on the good will of community forum members.
Hi, did you remove only the FCT certificate or all the personal certificates?
Hi,
Thank you for this. It helped me to find this kind of solution:
Good old registry hack:
HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn
create or edit these three (3) REG_DWORD:
DisallowInvalidServerCert 0
no_warn_invalid_cert 0
show_auth_cert_only 1
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1086 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.