Forum Discussion

gd-29's avatar
gd-29
Brass Contributor
Aug 12, 2019

Valid Client Certificate Setup

How do you get valid client certificate to work?  What i have so far.  1. CA with Intermediate, User Certificate Template cloned for this purpose 2. Issued a cert to my domain desktop and IOS devi...
Cloud App Security
rajatm's avatar
rajatm
Former Employee
Apr 21, 2020
is the CA reachable over internet for a CRL check? if not, you may want to test by disabling the CRL check option in CAS portal settings right under where you upload the root cert.

also, just to understand the behavior, you are prompted for the cert and presented a list box, you select one and then does the page fail to load? or does it load but block activities configured in policy as if the cert is not valid?
ataviste's avatar
ataviste
Copper Contributor
Apr 21, 2020

rajatm 

 

Hi,

I'd already disabled the CRL checking.

 

Firefox prompts me for the client cert, it is the correct certifcate. I select it, and shortly afterwards the "access blocked" page is displayed.

 

I've also tried in IE on Windows, I'm not prompted for a cert (although I did add the PFX to IE) , but again the access blocked page is displated.

  • rajatm's avatar
    rajatm
    Former Employee
    Apr 21, 2020

    ataviste depends on what you had configured in it. for example, this config for a session policy will block selected activities in the 3rd filter when a user logs on to EXO OWA and the device does not have a valid cert. it will not block overall access.

     

     

  • ataviste's avatar
    ataviste
    Copper Contributor
    Apr 21, 2020

    Hirajatm ,

     

    Should my session policy have worked as well then? I guess something else was not quite right with it.

     

    Thanks,

    Antony

  • rajatm's avatar
    rajatm
    Former Employee
    Apr 21, 2020
    yes. cert based identification works for both session and access policies. the difference is that session policies can only control activities in web-apps/browser sessions while access policies can control overall allow/block for web-apps AND native/desktop apps.
    i have both session and access policies using the same certs and working as expected.
    if you only need to block access to devices without certs, an access policy is the right way to go.
  • ataviste's avatar
    ataviste
    Copper Contributor
    Apr 21, 2020

    Hi rajatm

     

    I tried it with your certs/CA and they also work with my access policy. Looking at the certs they have the same key usage etc. (but you have no intermediate CA)

     

    I created it initially as a session policy as they are supposed to be for browser clients. Very confusing!

     

    Thanks very much for your help

    Antony

  • ataviste's avatar
    ataviste
    Copper Contributor
    Apr 21, 2020

    rajatm 

     

    Hi,

     

    I got it to work!

     

    I had added a session policy in MCAS (which is supposed to be for browser clients). I replaced that with an access policy (see screenshot), and now things work as expected on Firefox on Linux and in IE11 on Windows (I got prompted for the cert on IE11 though, even though I'd added the client cert to the user cert store).

     

    Trying on another machine without the client cert blocks access (to MS Exchange) as expected.

     

    Can you confirm your working setup is with an access policy in MCAS?

     

    Thanks for your help.

     

    Antony

  • rajatm's avatar
    rajatm
    Former Employee
    Apr 21, 2020
    i just tested with IE11 and it works as expected. i did not have to add the cert to IE, just import to user's personal store. Latest versions of Edge and Chrome work too. after trying everything above, i can only suspect an issue with the root/intermediate certs. I am sharing my testing certificates with you in a direct message. if these work for you, then you can be sure that the issue is with certs alone.