ADFS Client Certificate Authentication

Matt 1 Reputation point
2023-01-04T14:19:56.06+00:00

Hi Everyone,

We're working through standing up our first ADFS server in our server farm. We have hit a snag when it comes to the client smartcard authentication. A quick rundown on our setup and what I have tried so far.

We have a single ADFS server with a certificate with certauth as a SAN so client certificates authenticate over 443. Within Authentication methods client certificate is enabled as an authentication method. I have also added the following rules within Claims Provider Trusts I added the following claim rules.

-EKU, UPN, serial Number, Issuer, and X.509

I also checked the NTAuth store and all client certificates intermediate and respective roots are present for all the smart cards used.

Our smart cards work with every other service on our network. Also, username and password through ADFS works as well.

I do get prompted for smart card when I select client certificate login. Once I enter the PIN for my smart card I get redirected to the following errors.

Error 364
Microsoft.IdentityServer.NoValidCertificateException: MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked.
Error Code: 0x800B0109
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ThrowCertificateErrorException(Int32 errorCode)
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

An error occurred
No valid client certificate found in the request. No valid certificates found in the user's certificate store. Please try again after closing and reopening the browser and choose a different authentication method.

I really appreciate any help you can provide!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,645 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
955 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,223 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Matt 1 Reputation point
    2023-01-05T11:48:12.893+00:00

    Anything? I'm sure I can't be the only one who has experienced this, hopefully someone can help.

    No comments

  2. Matt 1 Reputation point
    2023-01-05T13:13:30.217+00:00

    Update for everyone who comes across this issue.

    I was able to resolve this by making the following registry changes.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel

    • Add "ClientAuthTrustMode" with a value of 2
    • Either delete or add the value of 0 for "SendTrustedIssuerList"
    No comments

  3. Christian Previtera 1 Reputation point
    2023-01-07T08:36:53.877+00:00

    Thanks alot,
    Ive been facing this issue for a while