https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173425#M5418 <P>Ouch, I missed this. Thanks a lot!</P> Thu, 02 Mar 2023 20:42:50 GMT Kilian_Huber 2023-03-02T20:42:50Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173365#M5411 <P>Hi CheckMates,</P><P>when trying to use Secure Domain Logon with certificate based authentication (E86.26 client), the Secure Domain Logon dialogue does not offer any certificate to be chosen as shown in the screenshot below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EPS-SDL.jpg" style="width: 600px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19891i813725557E415543/image-size/large?v=v2&amp;px=999" role="button" title="EPS-SDL.jpg" alt="EPS-SDL.jpg" /></span></P><P>The user certificate store contains a certificate for the user which should be authenticated and the computer certificate store contains a machine certificate.</P><P>When skipping SDL and logging in with cached credentials, and then manually establishing a VPN connection, the user's certificate is correctly fetched via CAPI and certificate authentication is successful.</P><P>Any idea on how to troubleshoot why no certificate is available in the SDL authentication dialogue?</P><P>Thanks!</P> Thu, 02 Mar 2023 13:35:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173365#M5411 Kilian_Huber 2023-03-02T13:35:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173368#M5412 <P>Is this an EPS client with TP blades ? sk146712</P> Thu, 02 Mar 2023 13:47:21 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173368#M5412 G_W_Albrecht 2023-03-02T13:47:21Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173369#M5413 <P>It is an Endpoint Security Client, yes, but the FDE blade is not installed.</P> Thu, 02 Mar 2023 13:52:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173369#M5413 Kilian_Huber 2023-03-02T13:52:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173370#M5414 <P>I don’t believe SDL is necessary for this.<BR />See:&nbsp;<A href="https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-Have-Remote-Access-VPN-Tunnel-Before-User-is-Logged-In/m-p/173047" target="_blank">https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-Have-Remote-Access-VPN-Tunnel-Before-User-is-Logged-In/m-p/173047</A></P> Thu, 02 Mar 2023 13:55:35 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173370#M5414 PhoneBoy 2023-03-02T13:55:35Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173377#M5415 <P>So i would suggest TAC...</P> Thu, 02 Mar 2023 14:36:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173377#M5415 G_W_Albrecht 2023-03-02T14:36:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173378#M5416 <P>The machine certificate was just a test to see if I could select this certificate from the drop down list on the SDL window since I don't see the user certificate either. I do not actually want to use machine based authentication; all endpoints already have a user certificates rolled out and this should be used for authentication. IMHO this should be working since the user authenticates to Windows before the SDL window appears, therefore the personal certificate store should be accessible.</P> Thu, 02 Mar 2023 14:44:02 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173378#M5416 Kilian_Huber 2023-03-02T14:44:02Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173422#M5417 <P>CAPI certificates cannot be used for SDL.<BR />This is in the documentation:&nbsp;<A href="https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/SDL-for-SmartConsole-Managed-Clients.htm" target="_blank">https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/SDL-for-SmartConsole-Managed-Clients.htm</A>&nbsp;</P> Thu, 02 Mar 2023 20:30:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173422#M5417 PhoneBoy 2023-03-02T20:30:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173425#M5418 <P>Ouch, I missed this. Thanks a lot!</P> Thu, 02 Mar 2023 20:42:50 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Domain-Logon-with-certificate-based-authentication/m-p/173425#M5418 Kilian_Huber 2023-03-02T20:42:50Z