Fixing a Check Point VPN error. One method to resolve the dreaded…

At work we use the woeful Check Point Endpoint Security to connect to the corporate VPN. Our setup uses a smartcard for authentication. The smartcard has crypto certificates stored on it or something (you can tell I’m not a crypto guy).

After a mysterious event in which my certs were revoked, I was forced to create a set of new ones. That’s when the VPN problems started. Every time I tried to connect with the Check Point client, it failed with this error:

Connection Failed: Access denied — wrong user name or password

No VPN for me.

It seemed as if my old cert was cached somewhere, and the VPN client was still using it to connect. But because the cert had been revoked, the server was rejecting it.

I’ll spare you the details of just how long I spent fighting this. I reinstalled Check Point about a million times, and deleted every old cert I could find from certmgr.msc. I removed the old (revoked) certs from my smartcard. Nothing helped. The Check Point support site was useless, and a bunch of their content is behind a support-plan paywall anyway.

What finally led me to the answer was trying to connect from a different computer. It worked! Then I discovered that it also worked if I just created a new Windows account on my own laptop and connected as that user. So the problem was with my local user account.

Finally I exported the new user’s entire registry settings to a text file and dug through it for any crypto-related differences. That turned up a few registry keys, which I used to “reset” my normal account to a working state.

Here’s the procedure I used. Remember to backup your registry before attempting.

1. Create a new local user account and login.
2. Open regedit.exe
3. Export the following registry keys as .reg files. Save them somewhere accessible to your normal account, like C:\.
   HKEY_CURRENT_USER\Software\Microsoft\Cryptography
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
4. Log out and login under your normal account.
5. Open regedit.exe.
6. Delete the two keys mentioned above.
7. Import the two .reg files you saved earlier. You’ve now reset those keys to a clean state.
8. Connect with the Check Point VPN client. It should work.

(Note: some of this might be redundant. I think you could get away with just deleting the “Cryptography” key and calling it a day, but I’m including everything for completeness).