Forum Discussion
Unable to authenticate with MSAL using a certificate
Hi guys,
I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate
Uploaded the certificate to the App Registration, gave all appropriate permissions. However, when I tried to connect to SharePoint or the Graph API, I got this error
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700021: Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials .
Microsoft.Graph.ServiceException: Code: generalException
Message: An error occurred sending the request.
BUT, this only happened on 1 specific machine running Windows 11 Pro. I tested on 4-5 different machines (both W10 and W11), they didn't get this error.
I tried verifying the cert thumbprint which matched the one uploaded on the App Registrations. The certificate is not stored in the machine cert store, I use X509KeyStorageFlags.EphemeralKeySet when calling it. Not sure what else to check.
Hi Jack! Thanks for confirming.
Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.If you need to keep the certificate ephemeral, try combining flags:
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.
6 Replies
Switching the key storage flag to a persistent or exportable option fixed the issue immediately. Instead of using the ephemeral key set, I created the certificate instance using either X509KeyStorageFlags.Exportable or X509KeyStorageFlags.MachineKeySet. Once the private key was properly loaded, authentication with both SharePoint and Microsoft Graph API started working as expected. For anyone else facing this issue, make sure that cert.HasPrivateKey returns true at runtime, confirm that the system time is accurate (since even a small time skew can cause misleading AADSTS errors), and verify that the certificate chain is fully trusted on the local machine. It’s also best to avoid relying on EphemeralKeySet unless necessary, as it behaves inconsistently across different Windows 11 versions. In short, this wasn’t a problem with Azure AD or MSAL configuration—it was a Windows 11-specific issue related to how ephemeral certificate keys are handled. Using MachineKeySet or Exportable resolved the authentication problem completely.
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet);
or
new X509Certificate2(certBytes, password, X509KeyStorageFlags.Exportable);Hi Aqeel, thanks for your response.
However, my use case requires EphemeralKeySet because the client doesn't want the certificate to be imported into the Cert Store. Btw, the problem only happens on 1 machine running windows 11 Pro, 24h2, other machines including a Win10 don't have this error.
Hi Jack! Thanks for confirming.
Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.If you need to keep the certificate ephemeral, try combining flags:
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.
The error you are getting hints at a mismatch of the application identifier, not the certificate thumbprint. Make sure the iss/sub claims in your assertion payload match the client ID of the application.
Hi VasilMichev,
The payload contains the same info as the app registration of the application. I also checked that the certificate is created using CNG (Microsoft Software Key Storage Provider) not the old CSP
