Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Setting up User Certificate based authentication

Copper Contributor

Hi,

I'm trying to set up certificate based authentication for both devices and users.  I am going through third party for CA and was able to setup the connection between the CA and Intune and Entra ID.  The device CBA is working and I'm able to sync it with the Company Portal, but the issue I'm having is with the User CBA.  I am able to get the user certificate on the laptop, but when I tried to sign in using CBA, I get the https://office.com/landingV2 page with the message:
Sorry that didn't work

 

In the log, I get a Sign-in error code: 65002

 

SuolonHu_1-1695230450118.png

 

Not sure why I'm getting that error as this is a new app registration I created for this.

 

When I tried to recreate the whole setup again, I get the follwoing error when I tried to login:

AADSTS50017CertificateValidationFailed - Certification validation failed, reasons for the following reasons:
  • Cannot find issuing certificate in trusted certificates list
  • Unable to find expected CrlSegment
  • Cannot find issuing certificate in trusted certificates list
  • Delta CRL distribution point is configured without a corresponding CRL distribution point
  • Unable to retrieve valid CRL segments because of a timeout issue
  • Unable to download CRL

 

I'm not sure how or where to resolve this.

2 Replies

@Suolon Hu Have you setup a Certificate Revocation List and published it out so your workstations can find it?

From memory theres permissions you need to setup on the server to auth the CRL out

But check out this page for all the settings and configure for one

 

https://techcommunity.microsoft.com/t5/skype-for-business-blog/updated-creating-a-certificate-revoca...

Hi Bill, we are not hosting our own CRL server, we're using Digicert, so I don't think that link applies?