Forum Discussion

Copper Contributor

Oct 10, 2025

Solved

Unable to authenticate with MSAL using a certificate

Hi guys, I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate https://learn.microsoft.com/en-us/entr...

Aqeel-Khadim
Oct 13, 2025
Hi Jack! Thanks for confirming.
Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.
If you need to keep the certificate ephemeral, try combining flags:
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.

Aqeel-Khadim

Copper Contributor

Oct 10, 2025

Switching the key storage flag to a persistent or exportable option fixed the issue immediately. Instead of using the ephemeral key set, I created the certificate instance using either X509KeyStorageFlags.Exportable or X509KeyStorageFlags.MachineKeySet. Once the private key was properly loaded, authentication with both SharePoint and Microsoft Graph API started working as expected. For anyone else facing this issue, make sure that cert.HasPrivateKey returns true at runtime, confirm that the system time is accurate (since even a small time skew can cause misleading AADSTS errors), and verify that the certificate chain is fully trusted on the local machine. It’s also best to avoid relying on EphemeralKeySet unless necessary, as it behaves inconsistently across different Windows 11 versions. In short, this wasn’t a problem with Azure AD or MSAL configuration—it was a Windows 11-specific issue related to how ephemeral certificate keys are handled. Using MachineKeySet or Exportable resolved the authentication problem completely.

new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet);
or
new X509Certificate2(certBytes, password, X509KeyStorageFlags.Exportable);

Jack_Le_Syn
Copper Contributor
Oct 11, 2025
Hi Aqeel, thanks for your response.
However, my use case requires EphemeralKeySet because the client doesn't want the certificate to be imported into the Cert Store. Btw, the problem only happens on 1 machine running windows 11 Pro, 24h2, other machines including a Win10 don't have this error.
- Aqeel-Khadim
  Copper Contributor
  Oct 13, 2025
  Hi Jack! Thanks for confirming.
  Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.
  If you need to keep the certificate ephemeral, try combining flags:
  new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
  This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.
  - Jack_Le_Syn
    Copper Contributor
    Oct 16, 2025
    Thanks Aqeel-Khadim,
    I used the combined flags and it fixed the issue.