Problem occurs when client certificate authentication is configured in a virtual server, using Internet Explorer 11 as a client. When the NetScaler requests a Client Certificate authentication, SSL Handshake fails if protocol TLS1.2 is being used.

Configure Client Certificate Authentication to Mandatory. This action forces client/server renegotiation to take place. We are then required to bind the CA to the authenticating VIP, on the NetScaler, to allow  Internet Explorer to use TLS1.2.  

Problem Cause

This is a problem with the NetScaler configuration. 

During the initial Client Hello, the client sends TLS protocols and cipher suites the user browser can support. The NetScaler then responds with a Server Hello and agrees on the TLS Protocols and cipher suites that they both can support. At this junction, the NetScaler requests the Client Certificate. However, the Client responds with a Client Length: 0.  Indicating that no certificate was sent to the NetScaler from the client. Since the NetScaler had configured Client Certificate Authentication to Optional, no second request is sent out to the Client. This causes the SSL Handshake to fail.