If you look at the Microsoft Entra CBA documentation, it mentions that Entra CBA certificate authentication should work with your smartcard as long as Entra CBA is enabled and the CA certificates are trusted by Entra ID (if you have not done this, I recommend our guide on how to setup Entra CBA for passwordless authentication). But, if you have done this, and you can validate that certificate authentication works in the browser, then in this guide we will guide you through some of the most common errors we have seen while helping thousands of customers go passwordless with Entra CBA.
The first step we want to check is that it is isolated to windows, the best way to test this is by opening an incognito window (I really recommend using an incognito window because if authentication fails the browser caches the certificate meaning that if you do not use incognito you will have to restart the computer) and going to a Microsoft site such as https://portal.azure.com then enter your user id and select “Use a Certificate or smartcard” and select your smartcard certificate.
Now you have to enter your pin and if you are using a token that requires touch such as a Yubikey or a Feitian Key then touch the key.
If it works, skip to the next section where we start troubleshooting the Windows side of things.
If you are getting an error saying “This site can’t be reached. The webpage at http://certauth.login.microsoftonline.com/ might be temporarily down or it may have moved,” this means that the certificate authentication was not completed, usually caused by not touching the key.
If you are getting other authentication errors while trying to enable Entra CBA, the best way to troubleshoot this is to see the logs of the authentication. I do this through Azure but I bet that Microsoft has a new more complicated way to do it in the Entra ID portal. Go to Azure, and click on Entra ID, go to the specific user and select “Sign In Logs.” In there you can click on the specific failed one (Note: CBA might show as interrupted, this is normal, look at the log that happened right after it) and check what is causing it to fail. From a conditional access policy to MFA baseline, there are many reasons whit his could be happening, but this is where you can find the specific issue.
If Entra CBA is working on the browser but not on windows, there are multiple things that might be causing the issue:
1) Your Certificate chain is not in the trusted certificate store, we recommend using Intune or a GPO to push the Root Certificate to the trusted certificate store.
2)The computer is not hybrid joined.
3) The SmartCard mini-driver is not installed in your device. All smartcard providers create a mini-driver that enables their SmartCard to connect to windows, Windows tries to automatically install the driver when the SmartCard is connected. However, there are times when you must install the mini-driver.
4) You are using an older version of Windows. While smartcard authentication has been around for decades, Entra CBA was created in 2021 meaning that older versions of Windows do not support it, check that your windows version is in the supported Entra CBA windows versions
5) You are using a 3rd party federation. If you are using a 3rd party federation such as Okta windows login with Entra CBA is not supported.
Hopefully this article helps you to solve the issue(s) and you can now login to your Windows machine using a smartcard certificate. If you have other questions or would like to learn how we can help you onboard users to Entra CBA feel free to schedule a free call with our identity experts
