1,745 questions
As far as I can tell, there is no way in IIS to force a client certificate during the initial TLS handshake
this statement is incorrect. In IIS, under Web Site -> SSL Settings ->
Windows Server 2022 IIS Client Certificate Authentication not working with Edge
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 82%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Gerben
1
Reputation point
After setting up a Windows Server 2022, IIS's Client Certificate Authentication doesn't work with Edge. It does work properly with Firefox, after turning on the "post-authentication handshake".
As far as I can tell, there is no way in IIS to force a client certificate during the initial TLS handshake. Usually this makes sense, since the configuration can be specified on a directory (and/or hostname) basis, so whether authentication is needed at all is only known at the time of the HTTP request itself. However, TLS 1.3 by default can't perform authentication after the initial handshake; this is only possible if the client (i.e. browser) indicates it supports post-handshake authentication.
And indeed: after enabling post-handshake authentication in Firefox, client certificate authentication succeeded. However, Edge does not seem to support the post-handshake authentication at all.
As a result, client certificate authentication doesn't seem to work at all on Windows Server 2022. Even if the browser falls back to TLS 1.2, the same problem seems to exist.
Is there any way to get client certificate authentication working properly in Windows Server 2022 (without disabling TLS 1.3)? How is this functionality supposed to still function, with these limitations?
Thanks in advance!
Windows development Internet Information Services
Windows for business Windows Server Devices and deployment Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff2021-11-09T06:47:06.147+00:00 IIS's Client Certificate Authentication doesn't work with Edge.
Did you get any error messages when you use edge?
-
Gerben 1 Reputation point
2021-11-09T07:42:02.87+00:00 In Edge I get an ERR_CONNECTION_RESET (with a "Hmmm... can't reach this page", "The connection was reset".
For additional details, the Wireshark logging shows the following:
- browser -> server: TLS: Client Hello (without "post-handshake authentication" extension)
- server -> browser: TLS: Server Hello, Change Cipher Spec
- server -> browser: TLS: Encrypted Extensions, Certificate, Certificate Verify, Finished
- browser -> server: TLS: Change Cipher Spec, Finished
- browser -> server: HTTP: GET request
- server -> browser: TLS: New Session Ticket
- server -> browser: Resets connection (RST, ACK)
Enabling post-handshake authentication in Firefox results in the browser advertising the post-handshake authentication extension in the client hello, and after the HTTP GET request a TLS CertificateRequest message is sent. This behavior is of course invalid for Edge, since it doesn't advertise the post-handshake authentication extension.
-
Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff
2021-11-10T08:45:17.4+00:00 @Gerben This seems to be a problem with the edge browser, I suggest you open a support ticket for this, one of our engineers will help analyse the root cause.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 93%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
peter y 1 Reputation point2022-07-22T17:37:26.023+00:00 I am running into the same issue with Edge. Did you ever figure out how to enable post auth handshake in Edge?
Sign in to comment
5 answers
Sort by: Most helpful
-
Vadims Podāns 9,186 Reputation points MVP2021-11-05T13:06:35.307+00:00 -
Gerben 1 Reputation point
2021-11-05T13:46:31.21+00:00 this statement is incorrect. In IIS, under Web Site -> SSL Settings ->
Thanks for your answer!
This is how I have it configured. I've done this on the website and on each of the individual directories under the wwwroot (e.g. "/css/"), since client authentication during the handshake is theoretically impossible if the subdirectories won't require authentication (as the request itself would determine whether authentication is necessary).
However, even when the website and all its directories require authentication, IIS still doesn't seem to prompt for the client certificate during the handshake.
Am I missing something - or misconfiguring something - that could somehow intervene with authentication during the handshake?
-
Vadims Podāns 9,186 Reputation points MVP
2021-11-05T14:43:49.603+00:00 couple of things:
1) if you configure SSL Settings on site level, it is propagated down to all nested levels (applications, virtual folders, files, etc.). There is no need to configure SSL settings on individual level unless you want to target only them.
2) Microsoft Edge don't prompt for certificate if only one suitable certificate is found. Edge prompts only when multiple matching certificates found. Exact behavior is configured in Control Panel\Internet Options -> Security -> Internet Zone -
Gerben 1 Reputation point
2021-11-08T08:05:13.073+00:00 Thanks again for your answer!
I've verified that Edge doesn't send the CertificateRequest through Wireshark, so this is not a matter of Edge not prompting for a certificate. Also, this is confirmed by Firefox starting to work after enabling post handshake authentication. With Firefox I've confirmed (also through Wireshark) that a CertificateRequest is sent, but after the handshake.
So by the looks of it, even the configuration you're proposing uses a post-handshake authentication.
Regarding point 1: we did have differences configured per-directory before, but those are changed to be consistent for this question.
-
Vadims Podāns 9,186 Reputation points MVP
2021-11-10T16:44:04.797+00:00 One thing to try -- assign that web site to Local Intranet/Trusted Sites zone in Internet Options control panel applet.