Search code examples
iisssl-certificateclient-certificatescaciis-express-10

No longer prompted for CAC for localhost after upgrade to Windows 11


After upgradeing to Windows 11, a local ASP.Net application is no longer prompting me for my CAC and so I cannot access the site via https. I can access it fine via http. I did some looking around and my bindings were set to a cert with the friendly name 'IIS Express Development Certificate' but when I looked for that in my certificate store, or 'localhost' which it is issued by I believe, it doesn't show up. So I went ahead and created a new self-signed cert via powershell:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "localhost" -FriendlyName "IIS Dev Express Take 2" -NotAfter (Get-Date).AddYears(10)

I copied this to my trusted root certificate authorities and intermediate authorities folders in my certficicate store and selected this new certificate in my bindings, but still have the same issue. At this point I'm not sure what else I can try to resolve this issue.

Just to add a bit more since I've been working on this for a few days now:

I've tried removing and adding back server certificates a number of times, copying them from my personal store to trusted store and intermediate store, etc. I've tried copying a coworker's applicationhost.config file, or at least the parts specific to authentication that were different from mine. I've tried running the site directly from Visual Studio rather than stand-alone in IIS. I even tried removing and re-adding IIS Express, which regenerated the IIS Express Development Certificate that was the one installed originally. It doesn't seem to matter what I do. The application has the following:

 _cert = Context.Request.ClientCertificate;
                        if (_cert.IsPresent)
                        {
                            transferCACLoginToConsent = ProcessCAC();
                        }

But it never gets to the innercode because Context.Request.ClientCertificate always evaluates to false as I'm stepping through this, and without prompting the user for a CAC/client certificate.


Solution

  • For me it worked when I checked "Disable TLS 1.3 over TCP" in the Edit bindings.

    IIS edit binding window