KB Article | Forcepoint Support

Problem Description

Forcepoint VPN Client supports certificate authentication. The certificate used for this may be either imported to the client GUI on the Certificates tab, or may exist in Windows certificate store (certmgr.msc).

The certificate that is used to authenticate the user is selected in the VPN Client GUI:
  1. Right-click context menu of the gateway.
  2. Under Authentication, click Certificates.
All certificates that exist in the GUI and in the Personal Windows certificate store are selectable here.

The default Certificate ID that is used during authentication is E-mail, which is included in the certificate Subject Alternative Name field.

When a certificate is imported to the GUI, the Certificate ID can be changed in the certificates:
  1. Right click context menu between E-mail and Subject Name.
  2. The Subject Name is included in the certificate Common Name field.
When the certificate used exists in Windows certificate store, the default E-mail Certificate ID is always used.

The Certificate ID is sent to the gateway as the IKE ID, and used by gateway to look up the user in the default LDAP domain. The gateway then does an LDAP query to ask does a user exist who has the provided IKE ID as their mail attribute.

If there exist several certificates on the same machine with the same Subject Alternative Name, VPN Client may select the wrong key to use in authentication. This would cause the authentication to fail. Client may show the error: User Authentication failed. Invalid Algorithm specified.

Resolution

Solution 1
If all of the certificates with identical Subject Alternative Name exist in the VPN Client GUI, delete the extra certificates from the GUI.

Solution 2
If one of the certificates with identical Subject Alternative Name exists in the VPN Client GUI and other exists in Windows certificate store, and you wish to authenticate using the certificate in Windows certificate store, change the GUI certificates Certificate ID to Use to Subject Name. Now the client will select correct key to be used based on the now unique Subject Alternative Name.

Solution 3
If one of the certificates with identical Subject Alternative Name exists in the VPN Client GUI and other exists in Windows certificate store, and you wish to authenticate using the certificate in VPN Client GUI, there are two options:
  • Change the GUI certificates Certificate ID to Use to Subject Name so correct key is selected and client presents Common Name as IKE ID, apply also the LDAP server attribute change from Solution 4
  • Keep the GUI certificates Certificate ID as E-mail, but apply registry change from Solution 4 to change default Certificate ID
Such extra certificates, which have the users E-mail address as Subject Alternative Name, may be created automatically in the Windows certificate store by Skype for Business (formerly named Lync).

Solution 4
If all of the certificates with identical Subject Alternative Name exist in the Windows certificate store and you wish to authenticate using one of those, the default Certificate ID should be changed to Subject Name by closing the VPN Client and adding the following value to Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Forcepoint\Stonesoft VPN Client\Startup
"UseDNWithSC"=dword:00000001

Note Be careful when making changes to the Windows registry and consider creating a backup before doing so.

As the registry value suggests the client now uses the whole Distinguished Name to identify the keys. Only the Common Name part of the DN is still sent to the gateway as the IKE ID. Normally the Distinguished Name is unique between certificates so this should ensure that the correct key is always used in authentication.

The side effect of this on the gateway side is that after the change, user is searched from the LDAP with the provided Common Name value and not with the email value in the Subject Alternative Name. To make the corresponding change on gateway side so it queries for the correct attribute (cn instead of mail), complete the following steps:
  1. Open the SMC Management Client
  2. Go to Configuration, User Authentication, Servers
  3. Open the properties of the LDAP server bound to the default LDAP domain
  4. On the Attributes tab, change the E-mail attribute from mail to cn
  5. Click OK, install policy to the firewall
All VPN Client users connecting to this gateway who use certificate authentication must now use Subject Name as Certificate ID.

Note This effects also all other VPN gateways that use this LDAP server to authenticate users.


Keywords: remote vpn issues; mobile vpn; client vpn; user authentication; vpn authentication issue; certificate authentication

Article Feedback



Thank you for the feedback and comments.