Forticlient 7.2.4 trying to use certificates when not configured

DavidAno · ‎03-08-2024

Hello all,

We just upgraded to FortiClient 7.2.4 and having a strange issue, not sure if this is a bug or if there is some configuration change we can make to prevent this.

We are using SAML login, but for some reason FortiClient keeps trying to use certificates that exist in the users personal certificate sore that are totally unrelated to our VPN. We have never used certificate based authentication, its not even configured on the firewall. But for some reason when we try to connect using SAML it fails and the log below is generated in the certificates log for Forticlient. If i disable single sign-on and just connect with un/pw then it works fine and the certificate issue doesnt happen.

This is happening on a per-user basis, meaning that on the same computer with the same exact configuration if 2 different users try to use FortiClient it will work for 1 but not the other. I found that the issue is related to certificates

existing in the User's personal certificate store. If I move the certificates out of the personal store then the VPN start working as expected. Obviously this is not a good solution as the certificates are needed for other software.

Need to figure out how to prevent FortiClient from trying these other random certificates that exist.

I explained some more symptoms of the issue here - https://community.fortinet.com/t5/Support-Forum/FortiClient-VPN-Error-6005/td-p/303566

Searching CERTS_ENUM_SMARTCARDS

Looking for certs with and without pvt keys

Certificates_EnumTunnelCerts called. isSSL=1 includeLocations=65535 bMustHavePvtKey=0

Certificates_EnumTunnelCerts 490 sec_get_account_type()=520214896

Certificates_EnumTunnelCerts 493 sec_get_user_type()=0

Certificates_EnumTunnelCerts shadow_mode_enabled=502

Certificates_EnumTunnelCerts - looking in user store.

Certificates_EnumTunnelCerts - not looking in computer store.

Certificates_EnumTunnelCerts - looking on smartcards.

Certificates_EnumTunnelCerts call Certificates_LoadFilters

Certificates_LoadFilters tunnelName=3a7a5770, isSSL=1 &filters=000000E833BFCB70, &nFilters=000000E833BFCB78

Certificates_LoadFilters Open software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN

Certificates_LoadFilters Opened software\Fortinet\FortiClient\Sslvpn\Tunnels\MFA VPN

Searching CERTS_ENUM_USER_STORE

Looking for certs with and without pvt keys

Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" has OIDs:

2.5.29.15

2.5.29.19

Cert "Adobe Intermediate CA 10-3\Adobe Content Certificate 10-5" - ACCEPT

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" has OIDs:

2.5.29.15

2.5.29.19

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-3" - ACCEPT

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" has OIDs:

2.5.29.15

2.5.29.19

Cert "Adobe Root CA 10-3\Adobe Intermediate CA 10-4" - ACCEPT

Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" has OIDs:

2.5.29.15

2.5.29.19

Cert "Adobe Intermediate CA 10-4\Adobe Content Certificate 10-6" - ACCEPT

Searching CERTS_ENUM_SMARTCARDS

Looking for certs with and without pvt keys

Certificates_GetCertificateFromJSON 753

Certificates_GetCertificateFromJSON 762

Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16

Certificates_GetCertificateFromJSON 775 source=1

Certificates_GetCertificateFromJSON 781

Certificates_GetCertificate 612 hStoreHandle=000002645940A0F0

Certificates_GetCertificate 727 bFoundCert=1

Certificates_GetCertificateFromJSON 753

Certificates_GetCertificateFromJSON 762

Certificates_GetCertificateFromJSON 768 thumbprint=906CC149415780CFB79F39E1CF449F87CA6D4D16

Certificates_GetCertificateFromJSON 775 source=1

Certificates_GetCertificateFromJSON 781

Certificates_GetCertificate 612 hStoreHandle=0000026459427020

Certificates_GetCertificate 727 bFoundCert=1

uraksha2 · ‎03-09-2024

Can you share the specific certificate error. My guess is that you imported the ssl inspection certificate from the gate a while back when not in 7.4...into your machine , hence no errors prior. Then you updated the gate, new cert was generated and you have not trusted that on your pc. Just a hunch.

10.0.0.0.1 192.168.1.254

RBT · ‎03-09-2024

I can confirm that issue. Same issue with saml (Azure) login. FortiClient connects to 40% then ask for smartcard but doesn't accept one (we use smartcard for windows login).

No more requests for smartcard after rollback to 7.2.3. (so, seems not to be an server issue)

Smartcard needed (but only on some systems in the company) when upgrade to 7.2.4 again

Error shown in FortiClient:

09.03.2024 12:19:55

SSL-VPN

The server you want to connect to requests identification, please choose a certificate and try again. (-6006)

But we never have configured our Fortigate to request user identification and Azure login use FIDO2

We also run sometimes in an issue with 7.2.4: login via user/pw an Fortitoken stocks on 40% (same system that have issues with saml login)
Some systems work fine independ which login method used

DavidAno · ‎03-11-2024

The exact error is: FortiClient The server you want to connect to requests identification, please choose a certificate and try again. (- "6005)"

We did not update our FortiGate, the FortiGate has remained on the same version (7.0.3).

We were previously running FortiClient 7.0.2.090 and SAML login was working fine.

After installing FortiClient 7.2.4.0972 SAML throws a certificate error for any user that has certificates in their Personal Certificate store. It doesn't matter if the certificate in the Personal Certificate store is for Adobe, Exchange, or anything else, FortiClient seems to be trying it and picking it up. If I manually remove all certificates from the Personal Certificates store for the user then it works correctly, but obviously that breaks their other software.

Pretty sure it is a bug, even though certificate-based authentication is not enabled, it still seems to be searching for and trying the certificates from the Personal Certificates store.

Wondering if there is a way to disable the certificate based authentication altogether in FortiClient. Certificate Authentication is already disabled on the FortiGate.

MichelleT · ‎03-12-2024

I encountered the same issue after updating to 7.2; I was able to get connection to complete when I selected my personal certificate.

It looks as though zero trust may be baked into the latest version of the FortiClient.

My question is how do we get the connection to work if client certificate is not enabled for the SSL-VPN settings on the FortiGate?

RBT · ‎03-12-2024

First workaround:

I delete any user certificate except fct.... and our AD internal certificate from my usercertificates mmc

There were some from adobe - don't know why...

Afterwords login works without user cerificate request

technomancer_101 · ‎03-13-2024

Checked mine, exact same scenario. Personal certificate store had my personal cert for encryption, an Admin Center cert and about 8 from Adobe. I don't know where the Adobe ones came from either, but removing just those eight appears to have taken care of the problem.

MichelleT · ‎03-13-2024

Question is how I apply this solution to all the user devices with the least amount of administrative overhead or user interaction required.

DavidAno · ‎03-14-2024

What if the certificates are being used for the software? Like the Adobe certificates are probably tied to a digital signature for that user.

Deleting the certificates from the personal store is a workaround that has other potential side-effects.

The correct solution would be to fix the bug that is causing FortiClient to keep trying every personal certificate even when its configured not to.

hd-systems · ‎03-19-2024

We have the same issue, definitely a bug that needs to be resolved by Fortinet.

Deleting only the Adobe personal certificates was enough as a workaround (we have kept other certificates and have no problems).