Forum Discussion
Unable to authenticate with MSAL using a certificate
Hi guys,
I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate
Uploaded the certificate to the App Registration, gave all appropriate permissions. However, when I tried to connect to SharePoint or the Graph API, I got this error
A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700021: Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials .
Microsoft.Graph.ServiceException: Code: generalException
Message: An error occurred sending the request.
BUT, this only happened on 1 specific machine running Windows 11 Pro. I tested on 4-5 different machines (both W10 and W11), they didn't get this error.
I tried verifying the cert thumbprint which matched the one uploaded on the App Registrations. The certificate is not stored in the machine cert store, I use X509KeyStorageFlags.EphemeralKeySet when calling it. Not sure what else to check.
2 Replies
Switching the key storage flag to a persistent or exportable option fixed the issue immediately. Instead of using the ephemeral key set, I created the certificate instance using either X509KeyStorageFlags.Exportable or X509KeyStorageFlags.MachineKeySet. Once the private key was properly loaded, authentication with both SharePoint and Microsoft Graph API started working as expected. For anyone else facing this issue, make sure that cert.HasPrivateKey returns true at runtime, confirm that the system time is accurate (since even a small time skew can cause misleading AADSTS errors), and verify that the certificate chain is fully trusted on the local machine. It’s also best to avoid relying on EphemeralKeySet unless necessary, as it behaves inconsistently across different Windows 11 versions. In short, this wasn’t a problem with Azure AD or MSAL configuration—it was a Windows 11-specific issue related to how ephemeral certificate keys are handled. Using MachineKeySet or Exportable resolved the authentication problem completely.
new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet);
or
new X509Certificate2(certBytes, password, X509KeyStorageFlags.Exportable);The error you are getting hints at a mismatch of the application identifier, not the certificate thumbprint. Make sure the iss/sub claims in your assertion payload match the client ID of the application.
