This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 37%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETK%3C/text%3E%3C/svg%3E)
Hello,
I am implementing Windows 10 native VPN (ikev2) with cert-based authentication to on-premise (gw is fortigate)
When VPN connects, it will add *Session cert-based credentials to Credential Manager, so it is trying to enforce this type of authentication also for on-premise resources.
But some resources support only NTLM (SSO) - Only option how to disable of enforcing cert-based authentication for on-premise resources and be able to authenticate via NTLM is registry key MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds which disable Credential Manager from caching credentials.
I also found CSP Policy Authentication/AllowEAPCertSSO which should do what I need but it has no effect.
Does anybody know more information about the purpose of this policy ?
Hi Tomas,
The purpose is to allows an EAP (Extensible Authentication Protocol) cert-based authentication for single sign-on (SSO) to access internal resources.
It’s essential to note that this policy might not directly address your specific issue with NTLM-based resources. If you’re encountering difficulties with NTLM-based authentication, you might need to explore other solutions, such as the registry key you mentioned.