Forum Discussion

gd-29's avatar
gd-29
Brass Contributor
Aug 12, 2019

Valid Client Certificate Setup

How do you get valid client certificate to work?  What i have so far.  1. CA with Intermediate, User Certificate Template cloned for this purpose 2. Issued a cert to my domain desktop and IOS devi...
Cloud App Security
rajatm's avatar
rajatm
Former Employee
Apr 21, 2020
i just tested with IE11 and it works as expected. i did not have to add the cert to IE, just import to user's personal store. Latest versions of Edge and Chrome work too. after trying everything above, i can only suspect an issue with the root/intermediate certs. I am sharing my testing certificates with you in a direct message. if these work for you, then you can be sure that the issue is with certs alone.
ataviste's avatar
ataviste
Copper Contributor
Apr 21, 2020

rajatm 

 

Hi,

 

I got it to work!

 

I had added a session policy in MCAS (which is supposed to be for browser clients). I replaced that with an access policy (see screenshot), and now things work as expected on Firefox on Linux and in IE11 on Windows (I got prompted for the cert on IE11 though, even though I'd added the client cert to the user cert store).

 

Trying on another machine without the client cert blocks access (to MS Exchange) as expected.

 

Can you confirm your working setup is with an access policy in MCAS?

 

Thanks for your help.

 

Antony

  • rajatm's avatar
    rajatm
    Former Employee
    Apr 21, 2020

    ataviste depends on what you had configured in it. for example, this config for a session policy will block selected activities in the 3rd filter when a user logs on to EXO OWA and the device does not have a valid cert. it will not block overall access.

     

     

  • ataviste's avatar
    ataviste
    Copper Contributor
    Apr 21, 2020

    Hirajatm ,

     

    Should my session policy have worked as well then? I guess something else was not quite right with it.

     

    Thanks,

    Antony

  • rajatm's avatar
    rajatm
    Former Employee
    Apr 21, 2020
    yes. cert based identification works for both session and access policies. the difference is that session policies can only control activities in web-apps/browser sessions while access policies can control overall allow/block for web-apps AND native/desktop apps.
    i have both session and access policies using the same certs and working as expected.
    if you only need to block access to devices without certs, an access policy is the right way to go.