Did you find a solution to this? We also have this issue.
I got certificate authentication working with self-signed CA/client certs yesterday, but the results were pretty mixed. Apps like Safari, Mail, and Evernote worked great (after enabling acceptance of 3rd party cookies). Chrome, App Store, and Apple Maps didn't work at all.
I think the way this story ends is with a hybrid approach - authenticate (with certs) where possible, and identify via user-agent what should be bypassed.
I hate the thought of maintaining an ever-growing list of user-agent strings, though...
i agree with the user agent lists.
How did you get the cert auth working? I have imported/configured the rules but am getting stuck at the 'ask user for client cert' rule.
Hi Mike and Jim,
I have some ideas on this but it really depends on what is attempting to be accomplished.
From what Jim is saying, he wants to do direct proxy auth, and if they fail, do certificate auth. His current method of identifying whether or not someone should perform certificate auth is based on user-agent. This definitley could cause problems for HTTPS connections where the User-Agent isnt always available.
Rather what I suggest doing is, the following.
If the user fails to authenticate via NTLM for example, then redirect them to the "Authentication server" to obtain a certificate and a session. Once they have obtained the certificate and the session they should get prompted much less (it could be none at all).
Attached is a ruleset (2012-11-13_10-39_Certificate Based Authentication - v3.xml) which I have used as a boiler template for getting plain-old certificate auth in place. There is some moving around that needs to happen, but the basics are there. This does not behave as I described above, but if you want to get your feet wet with certificate auth, the attached ruleset should help.
I have another ruleset in the works (which I have not tested -- 2013-03-20_18-21_Failover Auth (proxy auth then cert based auth).xml ) that I will try to work with Jim on that will accomplish what I stated above.
Thanks, the v3 .xml got me further than i was before (prompting for the proxy cert so i can see path). I am still having problems getting cert auth to function on ipads. ill be poking on it today some more.
Jon, did you ever get the
How are you getting the ICAP traffic to the MWG? Direct Proxy or transparently (WCCP)?
(I asked because it matters in what ruleset I post)
We aren't using ICAP to get it to the MWG. Do you mean iPad?
We are using Direct Proxy, using a PAC file.