All posts by Don Matteo

lebt in der Schweiz, ist System Engineer MCP bei A-Enterprise GmbH. Mitglied des UNBLOG Knowledge Network. Author und Blogger zu den Themen, Tutorials für Linux und Open Source.

Issue using FortiClient on Windows 11

FortiClient on Windows 11 shows the Warning: Credential or SSLVPN configuration is wrong. (-7200)

Credential or SSLVPN configuration is wrong. (-7200)

FortiClient SSL-VPN connects successfully on Windows 10 but not on Windows 11. An article by the staff was posted in the fortinet community they describes a potential cause for why SSL-VPN connections may fail on Windows 11 yet work correctly on Windows 10.

  SSL-VPN tunnel-mode connections via FortiClient fail at 48% on Windows 11, it shows the warning: Credential or SSLVPN configuration is wrong (-7200). We remember, tunnel-mode connections was working fine on Windows 10.

Users are unable to authenticate if they are in a User Group that is configured in an SSL-VPN Authentication/Portal Mapping (known as authentication-rule in the CLI), but they can successfully authenticate when using the All Other Users/Groups catch-all authentication rule.

Windows 11 is uses TLS 1.3 by default for outbound TLS connections, whereas Windows 10 appears to use TLS 1.2 by default.

The cipher setting is set to high by default. This setting specifically designates the acceptable key-strength of the encryption cipher being used to ≥ 168 bits.

If TLS-AES-256-GCM-SHA384 is removed from the list, Windows 11/FortiClient will still be able to establish a TLS 1.3 connection using one of the alternative TLS Cipher Suites available.

Windows 11 may be unable to connect to the SSL-VPN if the ciphersuite setting on the FortiGate has been modified to remove TLS-AES-256-GCM-SHA384, and an SSL-VPN authentication-rule has been created for a given User Group that has the cipher setting set to high (which it is by default).

The solution can be determined as follows by running the command in the FortiGate CLI to solve the issue. First of all, show the current SSL-VPN settings used on the FortiGate appliance:

show vpn ssl settings

Then use unset to make the cipher suite according to windows 11:

config vpn ssl settings
  unset ciphersuite
end

Or set the cipher suite with the append command:

config vpn ssl settings
  append ciphersuite TLS-AES-256-GCM-SHA384
end

Note see Microsoft learn about TLS Cipher Suites in Windows 11

Outlook problem with proxy server security certificate

Microsoft Outlook users report certificate problem that after cumulative update 21H2 for Windows 10 or after upgrading to Windows 11, that with some versions of Outlook, including Outlook for Microsoft 365, the connection to the Exchange Server stops working when opening and the error message appears that Outlook cannot connect to the proxy server. This article describes the cause and shows the appropriate workaround to solve the problem.

Outlook users receive the error message cause certificate problem with error code:

There is a problem with the proxy server’s security certificate.

Outlook is unable to connect to the proxy server. (Error Code: 80000000).

Cause

The encryption protocol (Transport Layer Security) TLS 1.0 to encrypt the connection, has been disabled and removed by the Windows 10 Update, or an upgrade to Windows 11 on the local computer.

Solution

Enable TLS 1.0 on the local Windows 10 or Windows 11 computer. To do this, paste the registry keys in the command prompt opened as administrator as follows:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v "DefaultSecureProtocols" /t REG_DWORD /d "128" /f
REG ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v "DefaultSecureProtocols" /t REG_DWORD /d "128" /f

  This is more of a workaround than a solution and is not recommended for a final fix because TLS 1.0 has been discontinued and should no longer be used. However, if one needs an immediate solution to the highlighted problem, TLS 1.0 can be enabled via the registry on the local Windows 11 or Windows 10 computer.