HTTP Certificate client authentication RRS feed

  • Question

  • Hi all,

    I have a problem with the resolution of a case that I will explain below.

    In our environment (intranet) we have a website portal that requires http certificate client authentication. 
    Subsequently the selection of the right cert from the store, the web service read the FQDN from the certificate's subject and 
    based on that permit the access to the portal.

    Now, we can deploy the certificate on the machine with autoenrollment, based on our PKI (Window Server 2012 AD CS).  
    The problem is that IE (or any other internet browser) read only from the user keystore (LocalMachine\My) while 
    the right certificate is on the computer keystore (CurrentUser\My).
    How can I figure out this situation?
    If I export the certificate from the machine keystore and next import to the user keystore everything works fine but 
    I don't want mark the key as exportable in cert template and, however, this would make everything more complicated.

    I appreciate any suggestions to accomplish that
    Thanks in advance

    Monday, January 2, 2017 4:16 PM

All replies

  • Hi,

    By your description it sounds like you are trying to authenticate a user session with a computer certificate. I believe the reason this isn't working is by design.

    Is the application something that has been designed bespoke?

    The proper way to do this is to have the users auto-enroll certificates which can be achieved in a similar way to auto-enroll machine certificates and then have the authentication done based on the user certificate that the browsers do have access to.

    The reason that the user store is used it because the browser runs in the context of the user not the machine (which would use the account NT Authority\SYSTEM).

    Monday, January 2, 2017 5:15 PM
  • Thank you Daniel,

    Yes I already know what you say but, unfortunately, the app was developed with those specific requirements because it has the needs to recognize the computer from where the http session begins.

    It's like just you say: we want authenticate a user session with a computer certificate and we would like to do auto enroll certificates on specific machines without have a key exportable.

    But it seems is impossible by design, is it true?

    Which could be an alternative solution?

    I had thought a solution with a script that copy cert from one keystore to another but that does not copy the private key.

    • Edited by Kiplico Monday, January 2, 2017 6:43 PM
    Monday, January 2, 2017 6:43 PM
  • Hi Kiplico,

    Haven't received your message a few days, was your issue resolved?

    If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.
    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, January 17, 2017 9:16 AM
  • Hi Kiplico,

    have you managed to find a solution?

    If you believe my respond answered your question could you please 'mark as answer'


    Thursday, January 26, 2017 7:40 PM