Forum Discussion
Conditional Access using certificate from Internal PKI
I've tried implementing this with absolutely no success whatsoever. I've put out internal and root certificate in MCAS. Created my conditional access policy. I can see alerts from my policy so I know the conditional access policy is running and the policy is triggered. But it seems MCAS is simply unable to make any certificate comparison so just blocks everything. Certificate or no certificate. There seems little detail on this. Which browsers are supported? Should it prompt when attempting to verify the certificate?
Ru we have this working. You have to use a user certificate that the user cannot export and not a machine certificate. Another thing to watch for is the user experience through different browers. the browser will prompt for a certificate (except Firefox which will just block). Put the MCAS redirect url in trusted sites and ensure browser settings do not prompt for a certificate.
- Awesome, thanks for the tip.
- Can you elaborate on the redirect URL? Is this what site we expect to prompt for a client cert?
Also, “do not prompt for a cert”..Is this that setting that (more or less) says if there’s only one client cert go ahead and use it? And I’m assuming this is in the trusted sites zone settings?
This is all working perfectly on macOS, but I can’t get it to ask for a cert on Win10. My Win10 devices with certs are going directly to the CAS proxy in the browser.Schebby The redirect is the path appended by MCAS reverse proxy. So dependent on your region (mine is EU) the url looks like this and you can see in the address bar when MCAS adds it when visiting the address under certificate control.
eu.access-control.cas.ms
So you add for example *.eu.access-control.cas.ms to the trusted sites zone. And yes you enable the setting in that zone for "do not prompt for a cert".
