Forum Discussion

Jack_Le_Syn's avatar
Jack_Le_Syn
Copper Contributor
Oct 10, 2025
Solved

Unable to authenticate with MSAL using a certificate

Hi guys, I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate https://learn.microsoft.com/en-us/entr...
certificate
developer
GraphAPI
sharepoint
Winforms
  • Aqeel-Khadim's avatar
    Aqeel-Khadim
    Oct 13, 2025

    Hi Jack! Thanks for confirming.
    Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.

    If you need to keep the certificate ephemeral, try combining flags:

    new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);

    This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.

VasilMichev's avatar
VasilMichev
MVP
Oct 10, 2025

The error you are getting hints at a mismatch of the application identifier, not the certificate thumbprint. Make sure the iss/sub claims in your assertion payload match the client ID of the application.

  • Jack_Le_Syn's avatar
    Jack_Le_Syn
    Copper Contributor
    Oct 11, 2025

    Hi VasilMichev,

    The payload contains the same info as the app registration of the application. I also checked that the certificate is created using CNG (Microsoft Software Key Storage Provider) not the old CSP

Resources