Forum Discussion
Unable to authenticate with MSAL using a certificate
Hi Jack! Thanks for confirming.
Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.If you need to keep the certificate ephemeral, try combining flags:
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.
Hi Aqeel, thanks for your response.
However, my use case requires EphemeralKeySet because the client doesn't want the certificate to be imported into the Cert Store. Btw, the problem only happens on 1 machine running windows 11 Pro, 24h2, other machines including a Win10 don't have this error.
Hi Jack! Thanks for confirming.
Yes, that makes sense. This behavior occurs on certain Windows 11 24H2 builds, where certificates are loaded with X509KeyStorageFlags.EphemeralKeySet doesn’t always bind the private key correctly. It’s not an officially documented bug, but several developers have reported similar issues with ephemeral certificates failing to authenticate on specific environments.
If you need to keep the certificate ephemeral, try combining flags:
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
This can work as a temporary workaround until Microsoft improves consistency in how ephemeral keys are handled in newer Windows 11 builds.
Thanks Aqeel-Khadim,
I used the combined flags and it fixed the issue.