I finally got combined certificate and user/pass/MFA authorization for our always-on VPN clients to multiple firewalls (cert auth to the Portal for valid asset checks and auto-login to trigger internal host detection, user/pass/MFA auth to the Gateway for actually establishing the VPN). Moved ~225 Windows10 clients in 1 swoop with only 1 problem (a missing cert on one machine). Has been pretty much trouble free except.... I have 2 Windows11 clients, neither of which can connect to the cert-authenticated Portals. Both can connect to a user/pass authenticated Portal without issue.
The Windows11 GP clients show a "The network connection is unreachable or the portal is unresponsive." error message when connecting. Browsing to the portal address results in a "Valid client certificate is required." error message. The user cert requested for authentication is valid. Weirdly, the Windows11 GP client can connect to the exact same external Portal from inside the corporate network, with the cert, without issue (and trigger the internal host detection). Windows10 GP clients can connect internally and externally without issue.
Has anyone seen this? Am I missing an option required for Windows11?
After considerable digging I have found this was being caused by 2 separate issues.
1) A Windows11 upgrade, with existing user accounts on the box, breaks permissions for the GP client to access existing certificates. Newly created user accounts and user certificates created after the upgrade do not have a problem. This seems to result from Windows11 breaking permission to access the private key portion of the existing user certificate. The GP client correctly receives the request from the portal to provide a user certificate for authorization, it correctly identifies the personal certificate(s) signed by the CA, but the GP client then fails when it tries to read the certificate private key to sign the authentication reply to the portal:
(P17016-T20652)Error(2290): 04/29/22 18:12:04:432 error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
(P17016-T20652)Debug(2377): 04/29/22 18:12:04:432 winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now
(P17016-T20652)Debug(4578): 04/29/22 18:12:04:432 winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000
This results in a "Network connection is unreachable or the portal is unresponsive." error in the GP client. In a browser connection to the portal the error message "Valid client certificate is required". And in the PA logs the error as "Client cert not present".
The GP client can definitely access the rest of the cert as it shows its details just before trying to access the private key. The fix is to export and save the personal certificate (with private key), delete the certificate from the user's personal cert store, and then re-import the same certificate back into the cert store. The GP client can then read the private key for signing. Alternatively, the old certificate can be deleted and a new key generated.
2) Personal certificates with special characters in the common name are not recognized as valid by the PA portal for authentication. If a user has a certificate with a Subject like:
CN=Firstname "Nickname" Lastname,OU=Personal,OU=Corporate,DC=example,DC=com
The GP client correctly identifies the personal certificate as signed by the CA and reads the Subject, including the " quote marks. The GP client then sends the user public cert to the PA portal which responds with an error:
(P2756-T16964)Debug(2699): 05/06/22 10:48:38:506 box return Valid client certificate is required, remove cache and close all handle now
(P2756-T16964)Debug(5134): 05/06/22 10:48:38:506 we get cert error, so remove previousCertificate
(P2756-T16964)Debug(4757): 05/06/22 10:48:38:506 client certificate error found: Client cert usage check failed
The GP client then shows an error that a valid client certificate is required to connect to the portal. The PA logs the error as "Client cert not present". This looks to be a data handling error on the PA side. As far as I can tell, X509/RFC5280 allows any printable character in the DN name (up to 64), including all UTF8 and UTF16 characters. Certain manufacturers prohibit some special characters in the string (such as " , - ? ), but that doesn't seem to be universal.
Edit: This PaloAlto KB states that some special characters are not allowed in the common name (though some how in a week of searching for "Valid client certificate is required" errors I never found it).
You've discovered a Microsoft bug with DSAPI. If you have someone at your company who can (please!) put in a Microsoft support case, it will help. Microsoft has been punting this issue down the road for several months and missing their target release date for a fix.
EDIT: You'll also notice resetting the password on the Win11 device triggers the same behavior, and any credentials saved in the Credential Manager are no longer available.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!