VPN client authentication: Certificate IDs and Windows certificate store
- Article Number: 000012550
- Products: NGFW VPN Client
- Version: 6.8, 6.7, 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, 6.0, 5.9, 5.8, 5.7, 5.6, 5.5, 5.10
- Last Published Date: July 31, 2020
Forcepoint VPN Client supports certificate authentication. The certificate used for this may be either imported to the client GUI on the Certificates tab, or may exist in Windows certificate store (certmgr.msc).
The certificate that is used to authenticate the user is selected in the VPN Client GUI:
The default Certificate ID that is used during authentication is E-mail, which is included in the certificate Subject Alternative Name field.
When a certificate is imported to the GUI, the Certificate ID can be changed in the certificates:
The Certificate ID is sent to the gateway as the IKE ID, and used by gateway to look up the user in the default LDAP domain. The gateway then does an LDAP query to ask does a user exist who has the provided IKE ID as their mail attribute.
If there exist several certificates on the same machine with the same Subject Alternative Name, VPN Client may select the wrong key to use in authentication. This would cause the authentication to fail. Client may show the error: User Authentication failed. Invalid Algorithm specified.
If all of the certificates with identical Subject Alternative Name exist in the VPN Client GUI, delete the extra certificates from the GUI.
If one of the certificates with identical Subject Alternative Name exists in the VPN Client GUI and other exists in Windows certificate store, and you wish to authenticate using the certificate in Windows certificate store, change the GUI certificates Certificate ID to Use to Subject Name. Now the client will select correct key to be used based on the now unique Subject Alternative Name.
If one of the certificates with identical Subject Alternative Name exists in the VPN Client GUI and other exists in Windows certificate store, and you wish to authenticate using the certificate in VPN Client GUI, there are two options:
Note Be careful when making changes to the Windows registry and consider creating a backup before doing so.
As the registry value suggests the client now uses the whole Distinguished Name to identify the keys. Only the Common Name part of the DN is still sent to the gateway as the IKE ID. Normally the Distinguished Name is unique between certificates so this should ensure that the correct key is always used in authentication.
The side effect of this on the gateway side is that after the change, user is searched from the LDAP with the provided Common Name value and not with the email value in the Subject Alternative Name. To make the corresponding change on gateway side so it queries for the correct attribute (cn instead of mail), complete the following steps:
Note This effects also all other VPN gateways that use this LDAP server to authenticate users.
Keywords: remote vpn issues; mobile vpn; client vpn; user authentication; vpn authentication issue; certificate authentication