Valid Client Certificate Setup


How do you get valid client certificate to work? 

What i have so far. 

1. CA with Intermediate, User Certificate Template cloned for this purpose

2. Issued a cert to my domain desktop and IOS device

3. Enabled a conditional access policy for custom MCAS policy

4. Root and intermediate cert upload to MCAS

5. MCAS policy to block if there is no valid client certificate. 


the block works, i get the "test block" message. but i can't get the client certificate prompt or figure out why it won't prompt for certificate.


My end goal is to test valid client certificate against a few 3rd party IOS apps where device certificate/standard device compliance checkbox doesn't work in conditional access. 

24 Replies

tried to replace my individual root / intermediate certificates with a single file chained file. no luck so far.

anyone using valid client certificate option in MCAS? 

I have the exact same issue. No combination of policy, certificates or settings seems to work.

We can successfully block access, but cannot get an MCAS Access policy to actually request a certificate from a client browser.

@gd-29 Did you get any feedback on this? I have the exactly same issue.


@rodrigobe i was only able to get this to work from one method. i think it was from a ios mobile device. 

i could not get this to prompt on a windows machine

@rodrigobe are you importing the cert on the client in the current user's personal store? that's where the cert needs to be on the machine and it also needs to have a private key. Once you have configured a session/access policy to check for a valid client cert, you should be prompted to select one from this store when you browse to app you configured in the policy





Sorry to resurrect this thread.


I'm also trying to get a client-certificate based condtional access session policy to work in MCAS.


I can get the browser to prompt for the certificate I issued, but it never accepts it and access is always blocked. I'm sure the issuing CA chain is correct and configured in MCAS, but MCAS just doesn't like any certificate I issue from the CA.


Has anybody managed to get this to work?




Hi, I added the client certificate's PFX to the Current User Cert Store (in Personal Certifcates), and the cert is still not accepted by MCAS as a valid client certifcate.

@ataviste did you try just the root CA or a combination of root and intermediate uploaded?

i forgot what was recommended by support when i was trying.





I uploaded the root and intermediate CA as two separate PEM files in MCAS

@ataviste do you have the private key for this cert? and what is the listed usage for this cert?





Yes I imported a PFX, and the "You have a private key that corresponds to this certifcate" message is present.

The cert usage is client authentication.

is the CA reachable over internet for a CRL check? if not, you may want to test by disabling the CRL check option in CAS portal settings right under where you upload the root cert.

also, just to understand the behavior, you are prompted for the cert and presented a list box, you select one and then does the page fail to load? or does it load but block activities configured in policy as if the cert is not valid?




I'd already disabled the CRL checking.


Firefox prompts me for the client cert, it is the correct certifcate. I select it, and shortly afterwards the "access blocked" page is displayed.


I've also tried in IE on Windows, I'm not prompted for a cert (although I did add the PFX to IE) , but again the access blocked page is displated.

i just tested with IE11 and it works as expected. i did not have to add the cert to IE, just import to user's personal store. Latest versions of Edge and Chrome work too. after trying everything above, i can only suspect an issue with the root/intermediate certs. I am sharing my testing certificates with you in a direct message. if these work for you, then you can be sure that the issue is with certs alone.





I got it to work!


I had added a session policy in MCAS (which is supposed to be for browser clients). I replaced that with an access policy (see screenshot), and now things work as expected on Firefox on Linux and in IE11 on Windows (I got prompted for the cert on IE11 though, even though I'd added the client cert to the user cert store).


Trying on another machine without the client cert blocks access (to MS Exchange) as expected.


Can you confirm your working setup is with an access policy in MCAS?


Thanks for your help.



Hi @rajatm


I tried it with your certs/CA and they also work with my access policy. Looking at the certs they have the same key usage etc. (but you have no intermediate CA)


I created it initially as a session policy as they are supposed to be for browser clients. Very confusing!


Thanks very much for your help


yes. cert based identification works for both session and access policies. the difference is that session policies can only control activities in web-apps/browser sessions while access policies can control overall allow/block for web-apps AND native/desktop apps.
i have both session and access policies using the same certs and working as expected.
if you only need to block access to devices without certs, an access policy is the right way to go.

Hi@rajatm ,


Should my session policy have worked as well then? I guess something else was not quite right with it.




@ataviste depends on what you had configured in it. for example, this config for a session policy will block selected activities in the 3rd filter when a user logs on to EXO OWA and the device does not have a valid cert. it will not block overall access.