https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198421#M4378 <P>Hi, my machine cert is in the personal store, intermediate in the intermediate and the root in the root. The Management server has also got both the Intermediate and the root certs installed. This is because the machine cert is signed by the intermediate as is the server cert configured on the gateway</P><P>&nbsp;</P><P>Thanks for the link you shared, however I am using R80.40 on the gateway.</P> Mon, 20 Nov 2023 19:35:23 GMT AshleyM 2023-11-20T19:35:23Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198181#M4376 <P>Hello CheckMates Community,</P><P>I'm reaching out for some insights regarding a challenge I'm facing with the Check Point Remote Access VPN. Although the initial setup and machine authentication seem to be working fine, I'm encountering a specific issue at the pre-Windows login phase: the authentication certificate required for login isn't showing up.</P><P><STRONG>Brief Overview of the Issue:</STRONG></P><UL><LI>Successfully set up the Check Point Remote Access VPN and machine authentication. VPN authenticates with machine cert and SAML once logged into windows.</LI><LI>The problem occurs at the pre-Windows login stage, where no certificate appears for authentication. SDL is enabled for this, so the VPN client is available at pre-windows login.</LI></UL><P><STRONG>Troubleshooting Attempts:</STRONG></P><UL><LI>Checked the certificate's installation in the Windows certificate store.</LI><LI>Configured the VPN client settings to align with certificate requirements.</LI><LI>Investigated potential group policy restrictions impacting certificate usage.</LI><LI>Updated the VPN client and related drivers.</LI></UL><P>Despite these steps, the issue remains unresolved. I'm hoping someone in the community might have encountered a similar situation or could offer some advice. Any suggestions or guidance would be greatly appreciated.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="EPS-SDL.jpg" style="width: 600px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23274iDC3A2FB6DEE2BA09/image-size/large?v=v2&amp;px=999" role="button" title="EPS-SDL.jpg" alt="EPS-SDL.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Here is some system information:</P><P>Host OS = Windows 10</P><P>Firewall version = R80.40 (with latest HF)</P><P>Here are some guides I've followed:</P><P><A href="https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Configuration-Examples-for-Machine-and-User-Authentication.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Configuration-Examples-for-Machine-and-User-Authentication.htm</A></P><P><A href="https://community.checkpoint.com/t5/Remote-Access-VPN/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173422#" target="_blank" rel="noopener">Solved: Re: Secure Domain Logon with certificate based aut... - Check Point CheckMates</A></P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Machine-Certificate.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Machine-Certificate.htm</A></P><P>Looking forward to your responses and thank you in advance for your help!</P> Sat, 18 Nov 2023 14:45:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198181#M4376 AshleyM 2023-11-18T14:45:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198405#M4377 <P>Where is the certificate stored in this case?<BR />See also:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk121173" target="_blank">https://support.checkpoint.com/results/sk/sk121173</A>&nbsp;</P> Mon, 20 Nov 2023 16:24:13 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198405#M4377 PhoneBoy 2023-11-20T16:24:13Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198421#M4378 <P>Hi, my machine cert is in the personal store, intermediate in the intermediate and the root in the root. The Management server has also got both the Intermediate and the root certs installed. This is because the machine cert is signed by the intermediate as is the server cert configured on the gateway</P><P>&nbsp;</P><P>Thanks for the link you shared, however I am using R80.40 on the gateway.</P> Mon, 20 Nov 2023 19:35:23 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198421#M4378 AshleyM 2023-11-20T19:35:23Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198432#M4379 <P>You're trying to use a CAPI certificate for SDL.<BR />This is not supported and is noted as such in the product documentation:&nbsp;<A href="https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/SDL-for-SmartConsole-Managed-Clients.htm" target="_blank">https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/SDL-for-SmartConsole-Managed-Clients.htm</A></P> Mon, 20 Nov 2023 22:05:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-Authentication-Pre-Windows-Login-Certificate-Issue-on/m-p/198432#M4379 PhoneBoy 2023-11-20T22:05:22Z