Anyconnect XML Profile Certificate Matching - Multiple Certs different Issuer

Similar Messages

• Anyconnect xml profile

  I have anyconnect installed on my win7 PC but I am not able to locate xml profile file. Any clue where I should look for that?
  I have already checked under Anyconnect installation folder and could not find it.

  Hi,
  Try these (depending on if you have the "old" or new AnyConnect Client)
  C:\ProgramData\Cisco\Cisco AnyConnect VPN Client
  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client
  C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect VPN Client\
  C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\
  username = your username naturally
  - Jouni

• Anyconnect VPN Certificate-matching not working

  Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
  Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
  For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
  The client-profile looks like this:
  <CertificateMatch>
              <KeyUsage>
                  <MatchKey>Key_Encipherment</MatchKey>
                  <MatchKey>Digital_Signature</MatchKey>
              </KeyUsage>
              <ExtendedKeyUsage>
                  <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
              </ExtendedKeyUsage>
              <DistinguishedName>
                  <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
                      <Name>CN</Name>
                      <Pattern>masin2</Pattern>
                  </DistinguishedNameDefinition>
              </DistinguishedName>
          </CertificateMatch>
  Any suggestions/ideas? thanks for any input,
  heiki.

  enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
  I have also tried with and without different keyusage and extendedkeyusage- no difference.
  The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
  I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.

• How to install .xml profiles for Anyconnect for Mac??

  Hi,
  I have AnyConnect 3.0.4235 installed on my Mac (OS X Mountain Lion), and my company uses .xml profile files so that the list of sites to connect to is autopopulated when you run the client.
  I know where they go on Windows boxes, but have never done this on a Mac and have no idea where these .xml files should go.   I tried putting them in the following location:  opt/cisco/anyconnect/profile  but when I run AnyConnect the "Connect to" box is still blank.
  Does anybody know where these should go?  Is there something else I need to do that I'm missing?

  You have the right place for the xml file but the user preferences is a file in /Users/username/.anyconnect
  Reference

• Certificate type in cert profile

  what is the significance of the certificate type in cert profile?
  what will be the effect if i choose cert type as say E31B insetad of E31A?

  Hi,
  In SPRO , Cert types are defined in Quality certificates-> Cert profile -> Define certificate types.
  You can only define the keys and short texts for the certificate types. Ref the help provided by SAP below.
  Define Certificate Types
       In this step, you define the certificate types.
       You only define the keys and short texts for the certificate types. When you define the certificate profiles, you must make sure the certificates conform to the standard type in both form and content.
       You can assign a status profile to each certificate type.
       Recommendation
       o   Note that the table of certificate types is used both in procurement and Sales & Distribution.
       o   Define the certificate types according to the applicable standards.
       Activities
       Determine which certificate types are required in your company for procurement and sales/distribution and define these certificate types in the table.
       Further notes
       Refer to the chapter 'Environment' for information on the general status management function and the status profile.
  Hope this will helps you.
  Regards
  K.M.Arun

• Securing multiple AnyConnect connection profiles

  Hello,
  Here is our scenario. We have three (3) separate AnyConnect connection profiles each with different levels of access enforced through ACL filters. We have aliases configured for each connection profile in order for each group member to be able to choose his group when logging in to AnyConnect. Authentication is done via LDAP to one single server/domain instance on which all users have accounts. Given our scenario and without using multi factor authentication, is there any way to keep a user from logging in to a connection profile in the AnyConnect client which he shouldn't have access to?
  Thanks,
  -Mike

  Dear Marvin,
  I have a similar situation where i have diferent connection profile and group policies where i apply acl where each profile
  has access to different resources.
  My question would be. Is there any possibility to allow only specific real IP addresses to initiate VPN session to the firewall.
  regards
  Nehat

• Assigning AnyConnect Client Profiles based on the machine?

  I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.
  If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
  If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
  What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
  It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
  If at all possible, I do not users to have to pick a conenction profile or use different URL's.
  Is there anyway to accomplish this?

  Hi
  Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.
  Has anyone got any idea how I could do this?
  thanks
  Steve

• Disabling Automatic Certificate Selection But anyconnect is selecting Certificate automatically

  Hi guys,
  i am having anyconnect version 3.1.03103, windows7 & 8 and asa 5520 (8.4). I have gone through alot of work to solve this issue but it not hapening.
  On clientless ssl vpn it prompts me for manual certificate selection but on anyconnect client it is not. profile configuration is mentioned below.
  In the highlighted line below i have changed UserControllable="true" still no results.
  <?xml version="1.0" encoding="UTF-8"?>
  -<AnyConnectProfile xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.xmlsoap.org/encoding/">-<ClientInitialization><UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
  <AutomaticCertSelection UserControllable="false">false</AutomaticCertSelection>
  <ShowPreConnectMessage>false</ShowPreConnectMessage><CertificateStore>All</CertificateStore><CertificateStoreOverride>false</CertificateStoreOverride><ProxySettings>Native</ProxySettings><AllowLocalProxyConnections>true</AllowLocalProxyConnections><AuthenticationTimeout>12</AuthenticationTimeout><AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart><MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect><LocalLanAccess UserControllable="true">false</LocalLanAccess><ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin><IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>-<AutoReconnect UserControllable="false">true <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior></AutoReconnect><AutoUpdate UserControllable="false">true</AutoUpdate><RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration><WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement><WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment><AutomaticVPNPolicy>false</AutomaticVPNPolicy>-<PPPExclusion UserControllable="false">Disable <PPPExclusionServerIP UserControllable="false"/></PPPExclusion><EnableScripting UserControllable="false">false</EnableScripting>-<EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement><AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime></EnableAutomaticServerSelection><RetainVpnOnLogoff>false </RetainVpnOnLogoff></ClientInitialization></AnyConnectProfile>

  hi paholland
  The order is OS dependant, and AFAIK there is no way to influence the order.
  However, you can limit which certificates are used by implementing certificate match criteria in the profile:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wp1216866
  hth
  Herbert

• Sun One 6.1 reverse proxy with multiple certs

  We are using Sun One Web Server 6.1sp6 as a reverse proxy without the passthrough plugin. We also have multiple certs and not a global cert and what we are seeing is the data getting "staged" on the web server before moving on to the destination (which obviously halves throughput). Some research tells us that this staging is happening because it needs to re-encrypt the packets for the next cert.
  Is there any way besides having a global cert that we can get around this? Would using the passthrough plugin help?
  Thanks,
  Don

  The thing is that it apparently doesn't do it on the fly, which is why I was wondering if the passthrough plug in would help. In other words, if I am sending a 10mb file through to the destination server (there's a weblogic server on the back end with a different cert that I want to do the real processing), the web server waits until it gets all 10mb then resends it. Seems it should do the encrypt/decrypt on a packet level to me.
  As far as the config, I didn't set it up, I'm just trying to get it to work :)
  Here are the configs, if it would help. If there's something set up wrong here, please feel free to point it out!
  Thanks,
  Don
  magnus.conf
  # The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
  # They will not be supported in future releases of the Web Server.
  NetsiteRoot /iplanet/servers
  ServerName rpserver.testdomain.com
  ServerID https-rpserver.testdomain.com
  RqThrottle 256
  DNS off
  Security on
  PidLog /iplanet/servers/https-rpserver.testdomain.com/logs/pid
  User iplanet1
  StackSize 131072
  TempDir /tmp/https-rpserver.testdomain.com-a9dd9515
  PostThreadsEarly off
  KernelThreads off
  ChunkedRequestBufferSize 0
  LogVerbose on
  LogVsId off
  AsyncDNS off
  KeepAliveTimeout 10
  UseNativePoll on
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/iplanet/servers/plugins/nsapi/wls923/libproxy128_61.so
  Init fn="wl_init"
  Init fn="load-modules" shlib="/iplanet/servers/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
  Init fn="stats-init" profiling="on"
  obj.conf
  # The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
  # They will not be supported in future releases of the Web Server.
  NetsiteRoot /iplanet/servers
  ServerName rpserver.testdomain.com
  ServerID https-rpserver.testdomain.com
  RqThrottle 256
  DNS off
  Security on
  PidLog /iplanet/servers/https-rpserver.testdomain.com/logs/pid
  User iplanet1
  StackSize 131072
  TempDir /tmp/https-rpserver.testdomain.com-a9dd9515
  PostThreadsEarly off
  KernelThreads off
  ChunkedRequestBufferSize 0
  LogVerbose on
  LogVsId off
  AsyncDNS off
  KeepAliveTimeout 10
  UseNativePoll on
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/iplanet/servers/plugins/nsapi/wls923/libproxy128_61.so
  Init fn="wl_init"
  Init fn="load-modules" shlib="/iplanet/servers/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
  Init fn="stats-init" profiling="on"
  server.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!--
  Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
  Use is subject to license terms.
  -->
  <!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///iplanet/servers/bin/https/dtds/sun-web-server_6_1.dtd">
  <SERVER qosactive="false">
  <PROPERTY name="docroot" value="/iplanet/servers/docs"/>
  <PROPERTY name="accesslog" value="/iplanet/servers/https-rpserver.testdomain.com/logs/access"/>
  <PROPERTY name="user" value=""/>
  <PROPERTY name="group" value=""/>
  <PROPERTY name="chroot" value=""/>
  <PROPERTY name="dir" value=""/>
  <PROPERTY name="nice" value=""/>
  <LS id="ls1" port="443" servername="rpserver.testdomain.com" defaultvs="https-rpserver.testdomain.com" security="on" ip="any" blocking="false" acceptorthreads="2">
  <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>
  </LS>
  <MIME id="mime1" file="mime.types"/>
  <ACLFILE id="acl1" file="/iplanet/servers/httpacl/generated.https-rpserver.testdomain.com.acl"/>
  <VSCLASS id="vsclass1" objectfile="obj.conf" rootobject="default" acceptlanguage="false">
  <VS id="https-rpserver.testdomain.com" connections="ls1" mime="mime1" aclids="acl1" urlhosts="rpserver.testdomain.com" state="on">
  <PROPERTY name="docroot" value="/iplanet/servers/docs"/>
  <USERDB id="default"/>
  <SEARCH>
  <WEBAPP uri="/search" path="/iplanet/servers/bin/https/webapps/search" enabled="true"/>
  </SEARCH>
  </VS>
  </VSCLASS>
  <JAVA javahome="/iplanet/servers/bin/https/jdk" serverclasspath="/iplanet/servers/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/iplanet/servers/bin/https/jar/webserv-ext.jar:/iplanet/servers/bin/https/jar/webserv-jstl.jar:/iplanet/servers/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" nativelibrarypathprefix="" debug="false" debugoptions="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n" dynamicreloadinterval="-1">
  <JVMOPTIONS>-Djava.security.auth.login.config=/iplanet/servers/https-rpserver.testdomain.com/config/login.conf</JVMOPTIONS>
  <JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
  <JVMOPTIONS>-Xmx256m</JVMOPTIONS>
  <SECURITY defaultrealm="native" anonymousrole="ANYONE" audit="false">
  <AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
  <PROPERTY name="file" value="/iplanet/servers/https-rpserver.testdomain.com/config/keyfile"/>
  <PROPERTY name="jaas-context" value="fileRealm"/>
  </AUTHREALM>
  <AUTHREALM name="native" classname="com.iplanet.ias.security.auth.realm.webcore.NativeRealm">
  <PROPERTY name="jaas-context" value="nativeRealm"/>
  </AUTHREALM>
  <AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
  <PROPERTY name="directory" value="ldap://localhost:389"/>
  <PROPERTY name="base-dn" value="o=isp"/>
  <PROPERTY name="jaas-context" value="ldapRealm"/>
  </AUTHREALM>
  </SECURITY>
  <RESOURCES/>
  </JAVA>
  <LOG file="/iplanet/servers/https-rpserver.testdomain.com/logs/errors" loglevel="info" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
  </SERVER>

• Anyconnect Client profile files deleted after client upgrade

  L.S.
  I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
  The ASA I am connecting to is a 5510 running ASA OS 8.4.5
  The problem I have is the following:
  We are using machine certificate authentication combined with RADIUS user authentication.
  The machine certificates are stored in the Machine/Personal container in the local machine.
  By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
  We do not want to have the user run the client as administrator (in elevated mode) all the time.
  Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
  With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
  the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
  The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
  The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
  The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
  The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
  The VPN is established.
  However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
  This means the user cannot connect without using elevated rights the next time he wants to connect.
  If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
  Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

  Hi poiu720408 ,
  1.  You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration.  So once the user connect to the proper URL/alias the profile will be applied. 
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
  3. This behavior is totally expected and they should disappear  after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
  Please rate helpful post !
  Hope this helps
  - Randy -

• AnyConnect 3.1.01065 error - Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

  I've got a user running:
  AnyConnect 3.1.01065
  on
  Windows 7 64bit.
  Several weeks ago she started encountering the following error:
  -after logging into Windows and launching the AnyConnect client, she enters her username and password and successfully authenticates.
  -the connection is not established and she's presented with the following message: "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
  After doing some troubleshooting, inlcuding uninstalling/reinstalling the anyconnect client, it seems the culprit is the following file:
  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<filename>.xml. When the problem occurs (which is not regularly, sometimes it occurs daily, sometimes just once a week) examining that file indicates it has no security or permissions set. Quitting the AnyConnect software, modifying the file so that the user has full control of it, then relaunching AnyConnect fixes the problem (until it happens again). Uninstalling, and making sure to move C:\ProgramData\Cisco to the trash, then reinstalling did not seem to help.
  The closest match in these forums is the following thread, https://supportforums.cisco.com/message/3760446 - though no clear resolution was given.
  Has anyone else encountered this, and been able to fix it?
  Thanks much.

  Just FYI, it seems at least in this case, purging all the previous system restore points seems to have resolved this issue...

• ASDM Anyconnect client profile - unable to edit preferences

  Hi,
  I have a functioning vpn set up, my problem is that I'm trying to set up anyconnect start before login. I navigate to the anyconnect client profile section in the remote access vpn and create a profile xml file by clicking the add button. I can add a profile but as soon as I save the file I can no longer edit it. The edit button is greyed out and if I double click the file the asdm returns the error: "Input is not a well-formed, schema-compliant XML file."
  I'm running the following versions of software:
  asdm: 7.1(5)100
  anyconnect: 3.1.05152
  asa: 8.2(3) <----asa hardware doesn't support running a newer version.
  I have not been able to find any info on this particular problem but maybe someone here can help?

  Hello Ryan,
  Do you run into the same problem if you upload AnyConnect 2.5 and perform the same task?
  Also, have you tried this operation from a different machine with and old JAVA version like 1.6?
  HTH.

• Split an inbound xml message in to multiple o/b idocs

  HI,
  We have a requirement to split an XML message(Source) into multiple idocs with different order nos and respective item details. We are working on XI 3.0 and we have a restriction not to use the BPM. Could you please let me know whether its possible to do 1:n mapping in XI 3.0 and how can we do this ?
  Thanks,
  Hari

  Then how you can do that in PI,we should know how many Target IDocs required,then we can import it in to PI.
  if you want to genarate same IDoc multiple times then we can do this,like change IDoc occurace to 0 to Unbounded then import as a external def and use it in mapping,logic you have to write in mapping.
  Regards,
  Raj

• AnyConnect Client Profile Backup Server Configuration

  I'm trying to understand the use of Backup Server option in AnyConnect Client Profile
  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server
  (Screenshot attached)
  My questions:
  1. In what all scenarios do we add servers (ASA devices) in this tab
  2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.
  3. Or is it only used to mention ASA devices configured in failover unit
  4. In case of failover unit, does it support stateful failover
  I could not find answers to above questions from Google search. So, asking here

  I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios
  1) ASAs at two different sites
  2) ASAs configured as a High Availability failover pair (Active/Standby).
  The profile does work to provide failover in 1) but does not work to provide failover in 2).
  I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover. 
  If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.
  HTH
  Rick

• Problem witch Anyconnect - Reading computer certificate

  Hi everyone.
  We are having an issue with our Windows 8.1 domain computer and Anyconnect.
  We have deployed computer certificates to all our domain computers, and use them for our wireless networks, which works great.
  When Anyconnect is started as a domain user, it wont allow us to connect using the machine certificate. We get an error message saying: "Certificate validation failure" and the message history says: "No valid certificates available for authentication". 
  If we run anyconnect as an administrator, there are no problems, and the connection is established right away.
  We have tried giving domain users read access to: HKLM\software\microsoft\systemcertificates, but it didn´t help.
  We have tested the same setup on OSX Yosemite, and there it works fine.
  We have had succes deploying a user certificate to the user(Windows 8.1), but we will prefer using the computer certificate.
  Any ideas? If you need more information, please let me know.
  Best Regards

  From: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html
  "In the Preferences (Part 1) pane of Profile Editor, use the Certificate Store list box to configure in which certificate store AnyConnect searches for certificates. Use the Certificate Store Override checkbox to allow AnyConnect to search the machine certificate store for users with non-administrative privileges."
  Rob.