I am having problems using certificate checking on the role level. Tested this on the realm level and it works ok.
Generating a client cert on a machine. Importing this into the local computer store in personal certificates and enrollment certificate requests, and then also putting this certificate into the user personal certificate store. Then getting this certificate and installing it on the Client CA area on the IVE and the Server CA area. Also setup the root CA and the CRL checking options.
So the certificate is everywhere at the moment. Then I have set the role to only allow clients who match with the CRL checking options.
Try to log into this role and it fails.
Put the same settings on the realm, and it works ok. Does this not work at the role level, or am I missing something here ?
Hey Kevin - role based certificate assignment is a little funky. The browser cert is only check at realm login time. So even though you are not authenticating to the realm via a cert you need to modify the settings under "User Realms / Authentication Policy / Certificate"
Set the radio button to the middle selection "Allow all users and remember certificate information while the user is logged in" - this will store the cert information for use in role validation. Works like a charm!