How do you get valid client certificate to work? What i have so far. 1. CA with Intermediate, User Certificate Template cloned for this purpose2. Issued a cert to my domain desktop and IOS device3. Enabled a conditional access policy for custom MCAS policy4. Root and intermediate cert upload to MCAS5. MCAS policy to block if there is no valid client certificate. the block works, i get the "test block" message. but i can't get the client certificate prompt or figure out why it won't prompt for certificate. My end goal is to test valid client certificate against a few 3rd party IOS apps where device certificate/standard device compliance checkbox doesn't work in conditional access.

i just tested with IE11 and it works as expected. i did not have to add the cert to IE, just import to user's personal store. Latest versions of Edge and Chrome work too. after trying everything above, i can only suspect an issue with the root/intermediate certs. I am sharing my testing certificates with you in a direct message. if these work for you, then you can be sure that the issue is with certs alone.

yes. cert based identification works for both session and access policies. the difference is that session policies can only control activities in web-apps/browser sessions while access policies can control overall allow/block for web-apps AND native/desktop apps.i have both session and access policies using the same certs and working as expected.if you only need to block access to devices without certs, an access policy is the right way to go.

Thank you for your reply!I was trying to use a certificate in local machine, not in the current user. Now I changed the CA certificate for the one that I have on my current user and it's working!Thanks again.

tried to replace my individual root / intermediate certificates with a single file chained file. no luck so far.anyone using valid client certificate option in MCAS?

I have the exact same issue. No combination of policy, certificates or settings seems to work.We can successfully block access, but cannot get an MCAS Access policy to actually request a certificate from a client browser.

Valid Client Certificate Setup | Microsoft Community Hub

25 Replies

BcoyneSS
Copper Contributor
Sep 26, 2023
WIll this work with a public certificate from someone like godaddy or entrust, or do i have to use a internal or managed PKI solution like SecureW2? My mac devices are not domain joined in any way, so my understanding is internal would not work
doody88
Copper Contributor
Oct 13, 2021
can this be a private certificate ?
- gd-29
  Brass Contributor
  Oct 13, 2021
  yes, i'm using an internal CA.
  the problem with internal CA is revocation, unless you publish your crl to the internet. if you had to revoke without a published crl, you would have to pull the root cert and remove access for everyone.
rodrigobe
Copper Contributor
Apr 16, 2020
gd-29 Did you get any feedback on this? I have the exactly same issue.
- rajatm
  Copper Contributor
  Apr 20, 2020
  rodrigobe are you importing the cert on the client in the current user's personal store? that's where the cert needs to be on the machine and it also needs to have a private key. Once you have configured a session/access policy to check for a valid client cert, you should be prompted to select one from this store when you browse to app you configured in the policy
  - rodrigobe
    Copper Contributor
    Apr 22, 2020
    Thank you for your reply!
    I was trying to use a certificate in local machine, not in the current user. Now I changed the CA certificate for the one that I have on my current user and it's working!
    
    Thanks again.
- gd-29
  Brass Contributor
  Apr 20, 2020
  rodrigobe i was only able to get this to work from one method. i think it was from a ios mobile device.
  i could not get this to prompt on a windows machine
gd-29
Brass Contributor
Aug 14, 2019
tried to replace my individual root / intermediate certificates with a single file chained file. no luck so far.
anyone using valid client certificate option in MCAS?
- jzimmerman
  Copper Contributor
  Dec 12, 2019
  I have the exact same issue. No combination of policy, certificates or settings seems to work.
  We can successfully block access, but cannot get an MCAS Access policy to actually request a certificate from a client browser.

Forum Discussion

Valid Client Certificate Setup

25 Replies

Resources