I was failing CRL checking, causing clients to not be able to login. Here's the final config I'm using (3 level CAs).
Machine-Cert --> CAISSUEWA1 --> CAISSUE1 --> CAROOT
1. The client issuing CA (CAISSUEWA1) should have CRL Checking Options set to use: "CDP specified in client certificates". if that is being published.
- Tick Verify Trusted Client CA
- Tick Trusted for Client Authentication
- Untick Participate in Client Certificate Negotiation.
2. The issuing CA (CAISSUEWA1) has the CRL URL of its parent CA (CAISSUE1) in its cert. Copy this URL and paste it in the CRL option of its parent using CRL Checking Option: "manually configured CDP".
- Tick Verify Trusted Client CA
- Tick Trusted for Client Authentication
- Untick Participate in Client Certificate Negotiation.
3. The Root CA (CAROOT) has CRL disabled.
- Untick Verify Trusted Client CA
- Tick Trusted for Client Authentication
- Untick Participate in Client Certificate Negotiation.