Openconnect and Active Directory Certificate Service
Previously my openconnect server deployment plan utilizes PAM authentication (via Kerberos/Active Directory) as the primary authentication method. It works but it’s complicated (password every time). I just enabled certificate authentication today and it worked fine. Things to note
- Enable certificate authentication as an alternative authentication method (up to you, but some guys in our domain don’t use certificate-capable device)
- Use “Smartcard Logon” certificate template with subject information in “Common Name” style
- Set OID 2.5.4.3 as user identifier in openconnect server configuration
- Provision root CA, CRL and OCSP (CRL and OCSP are optional but essential as part of the best-practice)
Something else I provisioned the same certificate in my Yubikey PIV and TPM-based virtual smartcard, but neither works for AnyConnect client. Certificate in user certificate store is fine. [caption id=”attachment_480” align=”alignnone” width=”225”]
AnyConnect client refused to use smartcard[/caption]