Device fingerprint with AnyConnect embedded browser

Version Affected:  All Versions
 

Description
If you are experiencing device fingerprint failures when authenticating through the Cisco AnyConnect embedded browser, this article explains the cause and provides steps to resolve it.

Symptoms

• Device fingerprint is not being created during AnyConnect authentication
• Authentication fails or MFA does not complete as expected when using the AnyConnect embedded browser

Cause
This issue occurs when the Public/Private Mode setting on the Workflow tab is changed from Public mode only or Public and Private modes to Private mode only, while the AnyConnect embedded browser still retains a SecureAuthLogin<realmID>=PUBLIC cookie from a prior session.

Device fingerprinting is only supported in Private mode. The residual PUBLIC cookie prevents the correct fingerprint from being generated.
 

Resolution
Clear the embedded browser's cookie store by renaming the EBWebView profile folder, then re-authenticate to establish a valid PRIVATE session cookie.

1. Close Cisco AnyConnect completely.
2. Navigate to the following path, replacing <your_username> with your Windows username:

   C:\Users\<your_username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\EBWebView

3. Rename the EBWebView folder (for example, append _OLD to the folder name).
4. Relaunch AnyConnect and sign in. The embedded browser will recreate the folder and write a new SecureAuthLogin<realmID>=PRIVATE cookie, restoring fingerprint functionality.

Special Considerations  
Renaming the EBWebView folder clears all data stored by the embedded browser, including:

• Saved passwords
• Cached permissions
• All browser cookies

Ensure end users are aware of this before proceeding, particularly in environments where browser-stored credentials are relied upon.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.