Windows 10 Remote users certifcates invalid after password change

Mikhaylov Evgeny 1 Reputation point
2022-09-28T12:17:00.533+00:00

Hello!
The issue is exactly the same as described in the article https://learn.microsoft.com/en-us/answers/questions/744964/windows-11-remote-password-change-breaks-vpn-certi.html
The only difference is that we suffer that on Windows 10

We use Cisco AnyConnect Mobility Client with two profiles configured: ManagementTunnel that relies on Computer Certificates to establish a VPN connection before logon, and UserTunnel that relies on User Certificates to establish a VPN connection after logon and that has an <AlwaysOn>true option in .XML config file.
Both ManagementTunnel and UserTunnel allow connections to RODC only. Opening connections to RWDC is not an option due to our security policies.

After user change domain password, there's a validation error for User Certificate on the next logon.
The only workaround is to manually remove public certificate for a given user and run gpupdate /force command. That works as ManagementTunnel is still working with access to RODC.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,286 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,747 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,011 Reputation points
    2022-09-29T07:18:41.48+00:00

    Hello there,

    Have you made any recent updates on the device? If so try uninstalling them as there was a history of an Update breaking the certificate.

    Does this behavior happen when the user changes his password after obtaining the certificate from the CA?

    Assuming you're using Active Directory and Windows CA, if you manage to get AD connectivity from the client and try to access the private key (launching the VPN) it should be able to read the key and it will be readable until you reboot the client. Not sure whether it is a Bug or a security feature implemented recently.

    -----------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  2. Mikhaylov Evgeny 1 Reputation point
    2022-11-23T12:54:21.867+00:00

    Hello!
    We observe this issue from the very beginning of implementing certificate based authentication for Cisco AnyConnect.
    We were hoping to see a solution through some of updates for Windows 10 20H2 as users were telling September update solved the issue.
    But when we joined Windows 11 22H2 computer with the last updates installed to AD, we could see that the issue persists: user can't establish VPN connection after password change and restart.
    The same workaround as for Windows 10 is needed: remove user certificate and acquire a new one with gpupdate /force

    0 comments No comments