Hello Kita, It's immediately rejecting the authentication and not even extracting the user name from the certificate so a policy trace is no use. Also to be clear the same certificate works on one realm but not on another even though they are configured with the same Authentication server. However, after looking at the xml exports again I have now found a difference. For the realms where it works in the <certificate> section the <customized> value is set to: allow-all-users In the admin portal the setting shows as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ. For the other realms where it does not work in the xml export the <customized> value is set to: require-client-cert In the portal again the setting shown as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ. I did some testing on my test box and even if the xml setting is "allow-all-users" it works correctly, i.e. it only allows clients with a valid certificate from one of the trusted CAs and the required attributes. So it appears the value shown in the admin portal is the correct one but whatever it is picking up to fill in the xml is causing the issue. I was able to fix the issue by editing the xml export to have the <customized> value is set to: allow-all-users and then re-importing.
... View more