Forum Discussion
Conditional Access using certificate from Internal PKI
Ru we have this working. You have to use a user certificate that the user cannot export and not a machine certificate. Another thing to watch for is the user experience through different browers. the browser will prompt for a certificate (except Firefox which will just block). Put the MCAS redirect url in trusted sites and ensure browser settings do not prompt for a certificate.
Also, “do not prompt for a cert”..Is this that setting that (more or less) says if there’s only one client cert go ahead and use it? And I’m assuming this is in the trusted sites zone settings?
This is all working perfectly on macOS, but I can’t get it to ask for a cert on Win10. My Win10 devices with certs are going directly to the CAS proxy in the browser.
Schebby The redirect is the path appended by MCAS reverse proxy. So dependent on your region (mine is EU) the url looks like this and you can see in the address bar when MCAS adds it when visiting the address under certificate control.
eu.access-control.cas.ms
So you add for example *.eu.access-control.cas.ms to the trusted sites zone. And yes you enable the setting in that zone for "do not prompt for a cert".
Kevin Spreadbury I figured it out (with help from support)! It wasn't trusted sites or AutoSelectCertificateForUrls (on Chrome/Edge (Chromium) side) at all (although I had already set that per your guidance). It was that I didn't have a client cert in the local user cert store. Apparently, (on Win10 at least) the browsers won't look in the local machine cert store for client (identity) certs. I wasn't being prompted because nothing was available for the browsers to show. Once I added a cert to the local user cert store, it immediately started prompting (and working).
Hope this helps others...
Schebby Hi, yes correct hence my comment above it needs to be a user certificate and not a machine certificate. You'll also need to ensure the certificate is not exportable by the user of course.