Setting up User Certificate based authentication

Question

Hi,I'm trying to set up certificate based authentication for both devices and users.&nbsp; I am going through third party for CA and was able to setup the connection between the CA and Intune and Entra ID.&nbsp; The device CBA is working and I'm able to sync it with the Company Portal, but the issue I'm having is with the User CBA.&nbsp; I am able to get the user certificate on the laptop, but when I tried to sign in using CBA, I get the https://office.com/landingV2&nbsp;page with the message:Sorry that didn't work&nbsp;In the log, I get a Sign-in error code: 65002&nbsp;&nbsp;Not sure why I'm getting that error as this is a new app registration I created for this.&nbsp;When I tried to recreate the whole setup again, I get the follwoing error when I tried to login:AADSTS50017CertificateValidationFailed - Certification validation failed, reasons for the following reasons:Cannot find issuing certificate in trusted certificates listUnable to find expected CrlSegmentCannot find issuing certificate in trusted certificates listDelta CRL distribution point is configured without a corresponding CRL distribution pointUnable to retrieve valid CRL segments because of a timeout issueUnable to download CRL&nbsp;I'm not sure how or where to resolve this.

billclarksonantill · Answer

Suolon Hu&nbsp;Have you setup a Certificate Revocation List and published it out so your workstations can find it?From memory theres permissions you need to setup on the server to auth the CRL outBut check out this page for all the settings and configure for one&nbsp;https://techcommunity.microsoft.com/t5/skype-for-business-blog/updated-creating-a-certificate-revocation-list-distribution/ba-p/620691

suolon hu · Answer

Hi Bill, we are not hosting our own CRL server, we're using Digicert, so I don't think that link applies?

Forum Discussion

Setting up User Certificate based authentication

Resources