I have the exact same issue. No combination of policy, certificates or settings seems to work.

We can successfully block access, but cannot get an MCAS Access policy to actually request a certificate from a client browser.

@rodrigobe i was only able to get this to work from one method. i think it was from a ios mobile device. 

i could not get this to prompt on a windows machine

@rodrigobe are you importing the cert on the client in the current user's personal store? that's where the cert needs to be on the machine and it also needs to have a private key. Once you have configured a session/access policy to check for a valid client cert, you should be prompted to select one from this store when you browse to app you configured in the policy

Hello,

Sorry to resurrect this thread.

I'm also trying to get a client-certificate based condtional access session policy to work in MCAS.

I can get the browser to prompt for the certificate I issued, but it never accepts it and access is always blocked. I'm sure the issuing CA chain is correct and configured in MCAS, but MCAS just doesn't like any certificate I issue from the CA.

Has anybody managed to get this to work?

Thanks,

Antony

@ataviste did you try just the root CA or a combination of root and intermediate uploaded?

i forgot what was recommended by support when i was trying.

@gd-29 

Hi,

I uploaded the root and intermediate CA as two separate PEM files in MCAS

@ataviste do you have the private key for this cert? and what is the listed usage for this cert?

Hi,

Yes I imported a PFX, and the "You have a private key that corresponds to this certifcate" message is present.

The cert usage is client authentication.

@rajatm 

Hi,

I'd already disabled the CRL checking.

Firefox prompts me for the client cert, it is the correct certifcate. I select it, and shortly afterwards the "access blocked" page is displayed.

I've also tried in IE on Windows, I'm not prompted for a cert (although I did add the PFX to IE) , but again the access blocked page is displated.

@rajatm 

Hi,

I got it to work!

I had added a session policy in MCAS (which is supposed to be for browser clients). I replaced that with an access policy (see screenshot), and now things work as expected on Firefox on Linux and in IE11 on Windows (I got prompted for the cert on IE11 though, even though I'd added the client cert to the user cert store).

Trying on another machine without the client cert blocks access (to MS Exchange) as expected.

Can you confirm your working setup is with an access policy in MCAS?

Thanks for your help.

Antony

Hi @rajatm

I tried it with your certs/CA and they also work with my access policy. Looking at the certs they have the same key usage etc. (but you have no intermediate CA)

I created it initially as a session policy as they are supposed to be for browser clients. Very confusing!

Thanks very much for your help

Antony

Hi@rajatm ,

Should my session policy have worked as well then? I guess something else was not quite right with it.

Thanks,

Antony

@ataviste depends on what you had configured in it. for example, this config for a session policy will block selected activities in the 3rd filter when a user logs on to EXO OWA and the device does not have a valid cert. it will not block overall access.