The default configuration for Yubikey is to support the CCID (Smart Card) interface. This does not play well with Cisco's AnyConnect VPN if you plan on connecting using a certificate on Windows.
When the CCID interface is enabled on the Yubikey, AnyConnect will produce a generic "The client agent has encountered an error" message when you try to use the certificate.
You will find something like these in the event viewer:
Date : 09/01/2020
Time : 16:53:36
Type : Error
Source : acvpndownloader
Description : Function: CCertificateInfoTlv::Assign
File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\vpn\common\tlv\certificateinfotlv.cpp
Line: 87
Invoked Function: CCertificateInfoTlv::Serialize
Return Code: -21889013 (0xFEB2000B)
Description: CERTIFICATEINFO_ERROR_NO_DATA:No certificate data was found
Date : 09/01/2020
Time : 14:39:02
Type : Error
Source : acvpnui
Description : Function: CSmartcardContext::initializeCard
File: c:\temp\build\thehoff\negasonic_mr20.884170368426\negasonic_mr2\vpn\commoncrypt\certificates\capismartcardutils.cpp
Line: 1155
Invoked Function: CSmartcardContext::acquireCryptProvForSmartcard
Return Code: -31457269 (0xFE20000B)
Description: CERTSTORE_ERROR_PROVIDER_ERROR
while processing smart card Yubico Yubikey 4 OTP+U2F+CCID 0
AnyConnect is trying to find the certificate but only checks the Yubikey for it when the Yubikey is inserted.
To solve this, either:
- make sure the Yubikey is not connected when initializing the VPN, or
- disable the CCID interface on the Yubikey
This is only an option if you don't actually need the CCID (Smart Card) functionality on the Yubikey.
- Download and install the Yubikey Manager
- Open Yubikey Manager
- Click Interfaces
- Uncheck CCID (Smart Card)
- Click _Save Interfaces
- Remove and reinsert Yubikey
Or disable it in Windows device manager:
