Windows Server 2022 IIS web site TLS 1.3 does not work with client certificate authentication

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

On Windows Server 2022, in IIS Web Site SSL binding, there is TLS 1.3 option enabled by default. However, if the web application uses client certificate authentication. SSL handshake will not work and so the web app is not reachable.


Client certificate authentication is a very old technology and it is at the Stage of Post-Negotiation of SSL handshake, such Post-Negotiation is restricted by TLS 1.3 RFC.


It is recommended to use TLS 1.3 with different Morden authentication methods. If you need to keep client authentication, then disabling TLS 1.3 and HTTP/2 in the IIS site SSL bindings will make client certificate authentication work.


If you want to keep TLS 1.3 and client certificate authentication, the workaround is to enable "Negotiate Client Certificate" property on http.sys, we can do it via netsh command, or change the registry key value for "Negotiate Client Certificate" directly. For example, if your IIS web site SSL binding is at (IP:Port), then the following registry key set the "Negotiate Client Certificate" to true at Http.Sys layer.

Type: DWORD, Name: DefaultFlags, Value:2.


However, please note, setting client cert negotiation flag enables negotiation of the client cert during the initial handshake and the specifics of that handshake should be part of the TLS 1.3 specification. So the enabling “client cert negotiate” at HTTP.Sys is not something that not complaint with TLS 1.3 RFC.  You will take this as your own risk to do so.


If the web site SSL binding has SNI enabled or SSL certificate is in a IIS cert center store, the registry key above is different and such enabling "Negotiate Client Certificate" may not work.


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.