Windows developers and administrators who depend on client-certificate (mTLS) workflows will need to keep using workarounds: a structural limitation introduced by TLS 1.3 and the way Windows handles TLS in kernel (http.sys / Schannel) means IIS Express on Windows 11 cannot reliably request a client certificate after the initial handshake, Microsoft engineers confirm, and a permanent, transparent fix for the lightweight developer server looks unlikely in the near term. (techcommunity.microsoft.com) (techzine.eu) (windowsreport.com)
Windows uses the Schannel TLS stack and the HTTP Server API (http.sys) to terminate TLS connections at kernel level before IIS or IIS Express sees HTTP requests. Because TLS is handled entirely by http.sys, servers that previously relied on renegotiation to ask a client for a certificate after the initial handshake now run up against two constraints: (1) TLS 1.3 removed renegotiation; and (2) post‑handshake client authentication is not broadly supported by browsers or HTTP stacks. The net result: if a server asks for a client cert “later” in the request lifecycle, the http.sys + Schannel combination often cannot fulfill that request under TLS 1.3, which breaks mTLS flows that were designed around the older model. Microsoft’s own IIS support documentation explains this architecture and the compatibility gap. (techcommunity.microsoft.com)
ort binding. This requires
Windows developers and administrators should plan for a short-term maintenance burden: implement a reproducible workaround in your test and CI environments, update runbooks to avoid accidental TLS regressions, and prefer solutions that preserve TLS 1.3 where possible. The interoperability problem at the heart of this issue is rooted in protocol design and ecosystem adoption — it’s solvable, but it requires coordinated fixes across clients, servers, and tooling rather than a single one-line patch. (datatracker.ietf.org) (techcommunity.microsoft.com)
Source: Techzine Global An important internet security feature will remain missing in Windows 11
Source: Windows Report Microsoft confirms TLS 1.3 breaks IIS Express client certificate handling on Windows 11
Background
What changed in TLS 1.3 — and why it matters here
TLS 1.3 removed the old TLS “renegotiation” mechanism found in TLS 1.2 and earlier and instead defines a post‑handshake authentication mechanism for requesting client certificates after the main handshake completes; that extension exists in the standard but is optional and not widely implemented by clients or allowed in all application-layer protocols. RFC 8446 (TLS 1.3) documents the protocol changes and the post‑handshake auth extension, and RFC 8740 (HTTP/2 + TLS 1.3) explicitly warns that post‑handshake CertificateRequest messages are incompatible with HTTP/2, effectively limiting where this feature can work on the modern web. (datatracker.ietf.org) (ietf.org)Windows uses the Schannel TLS stack and the HTTP Server API (http.sys) to terminate TLS connections at kernel level before IIS or IIS Express sees HTTP requests. Because TLS is handled entirely by http.sys, servers that previously relied on renegotiation to ask a client for a certificate after the initial handshake now run up against two constraints: (1) TLS 1.3 removed renegotiation; and (2) post‑handshake client authentication is not broadly supported by browsers or HTTP stacks. The net result: if a server asks for a client cert “later” in the request lifecycle, the http.sys + Schannel combination often cannot fulfill that request under TLS 1.3, which breaks mTLS flows that were designed around the older model. Microsoft’s own IIS support documentation explains this architecture and the compatibility gap. (techcommunity.microsoft.com)
What’s broken — concrete symptoms and scope
IIS Express (developer server)
Developers using Visual Studio and IIS Express to test applications locally that require client certificates (mTLS) will observe two primary failure modes depending on the Windows 11 build:- On Windows 11 builds before 24H2 (and Windows Server 2022): the client connection can be dropped with generic network errors such as ERR_CONNECTION_RESET.
- On Windows 11 24H2 and later (and Windows Server 2025): http.sys may return an ERROR_NOT_SUPPORTED condition and IIS Express surfaces an HTTP 500.0 with an error code 0x80070032. (windowsreport.com) (techzine.eu)
Full IIS (server) — a different profile
Full IIS (on server SKUs) has more control over http.sys bindings and, in newer server codepaths, Microsoft has exposed a “Negotiate Client Certificate” binding option (mapped to http.sys’s clientcertnegotiation property) that requests a client certificate during the initial TLS handshake — avoiding the post-handshake trap. That change is available in later Windows Server / IIS builds and provides a workable path for production servers, but that same capability does not exist for IIS Express because its http.sys bindings are created and managed differently (and often by Visual Studio). (techcommunity.microsoft.com)Deep technical explanation
Why renegotiation mattered and why TLS 1.3 removed it
Renegotiation (TLS ≤1.2) allowed a server to initiate a secondary handshake inside an established secure channel to request a client certificate for access to specific resources. Privacy and security problems with the old renegotiation mechanism led to its removal in TLS 1.3; the protocol instead defines a post‑handshake authentication extension for the same goal, but the extension is optional and requires client and server support, and may interact poorly with HTTP/2 and other protocols. RFC 8446 explains the design choices and includes the post_handshake_auth extension; RFC 8740 clarifies the constraints for HTTP/2. (datatracker.ietf.org) (ietf.org)http.sys and the kernel boundary
On Windows, the TLS handshake and certificate negotiation are performed in kernel-mode by http.sys and Schannel, and those kernel components must know, up front, whether a client certificate should be requested in the initial ClientHello/ServerHello handshake. If the client did not include a certificate and the server asks for it later (the model older IIS deployments used), http.sys has to rely on TLS 1.3 post‑handshake semantics to get it — semantics that most browsers and some middleboxes do not implement, or that HTTP/2 forbids. Because IIS Express receives requests only after http.sys completes the TLS handshake, IIS Express cannot transparently force a client certificate into an already-completed handshake unless the underlying binding was created to negotiate a client certificate during the first exchange. Microsoft’s support guidance and the IIS team’s blog explain this interaction and list concrete workarounds. (techcommunity.microsoft.com)Microsoft’s position and public reporting
Microsoft engineers acknowledge that the default use of TLS 1.3 on Windows 11 is causing compatibility problems for IIS Express with client certificates, and they’ve documented that the structural cause is tied to TLS 1.3 behavior and http.sys handling. Public reporting from trade outlets and community coverage confirms the issue and reproduces Microsoft guidance: the vendor has outlined workarounds but has not promised a universal repair for IIS Express, and at least one Microsoft support professional has indicated uncertainty about whether a transparent, permanent fix will be produced for the developer server. (windowsreport.com) (techzine.eu) (neowin.net)Workarounds: what you can do today (pros, cons, steps)
Microsoft and community responders converge on three pragmatic workarounds for developers and admins. Each fixes the immediate test/compatibility problem but carries tradeoffs.1) Disable inbound TLS 1.3 on the workstation (fast, machine‑wide)
Disable TLS 1.3 for the server role in Schannel so the system falls back to TLS 1.2 for inbound connections. This pushes TLS negotiation back to the older model where renegotiation (or server behavior expected by IIS Express) would work.- How (summary): create the
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Serverkey and setDisabledByDefault = 1andEnabled = 0; then reboot. Microsoft’s TLS registry guidance documents the protocol control registry paths for Schannel. (learn.microsoft.com) (techcommunity.microsoft.com) - Pros: Simple, machine-level change; works broadly for local IIS Express testing.
- Cons: Security trade‑off — you revert to older TLS behavior and lose TLS 1.3 security/performance benefits for inbound sessions; this is machine-wide and may be undesirable on production or multi-purpose workstations.
2) Reconfigure the http.sys binding to request client certs up front (surgical)
Edit the specific https binding used by your IIS Express project at the http.sys level so thatclientcertnegotiation is enabled on that IPort binding. This requires netsh http commands to delete and re-create the binding with clientcertnegotiation=Enable and administrative rights.- How (summary): run
netsh http show ssl ipport=0.0.0.0:<port>to inspect, delete the binding, and re-add it usingnetsh http add ssl ipport=0.0.0.0:<port> certhash=... appid={...} certstorename=MY clientcertnegotiation=Enable. Detailed guidance and examples are included in Microsoft’s IIS support guidance. (techcommunity.microsoft.com) - Pros: Targets just the binding you need; preserves TLS 1.3 for the rest of the system.
- Cons: Requires admin rights; Visual Studio or other tooling may re-create or overwrite bindings during updates or project changes; error-prone if you don’t preserve the exact certificate hash, appid and other binding metadata.
3) Remove local client-cert requirements from applicationhost.config (dev-only)
Remove theSslNegotiateCert / SslRequireCert flags from the IIS Express applicationhost.config used by your project (typically in the .vs\<project>\config folder) and mock or emulate client authentication in a different way locally.- How (summary): edit the
applicationhost.configand removesslFlags="SslNegotiateCert"(orSslRequireCert) for local testing; then adjust application code to conditionally bypass client-cert checks in dev. (techcommunity.microsoft.com) - Pros: Quick and completely inside the dev project.
- Cons: Only for local testing — you must not merge such changes into production code; this weakens local security tests and can hide integration issues that appear in production.
4) Consider alternate TLS termination for development
Run Kestrel with a locally configured TLS endpoint, use a reverse proxy (e.g., Nginx or HAProxy in a container) that you control and can configure to request client certs at the initial handshake, or test on a full IIS instance with the Negotiate Client Certificate option. These approaches move TLS termination outside of the http.sys binding model used by IIS Express and allow precise control of the handshake.- Pros: Cleaner separation, closer-to-production tests if you mirror your production TLS termination.
- Cons: More setup overhead; might change network topology compared to IIS Express.
Security analysis — tradeoffs and risks
- Disabling TLS 1.3 is a security regression for inbound sessions. TLS 1.3 simplifies secure handshake semantics, improves forward secrecy guarantees, and removes legacy cryptographic weaknesses; falling back to TLS 1.2 reduces those gains. Use this only on isolated development machines where risk is understood. (datatracker.ietf.org)
- Editing http.sys bindings (netsh) to request client certs during the initial handshake is a safer compromise, because it preserves TLS 1.3 while making the binding explicitly request certificates at the start of the TLS exchange. The risk here is operational: incorrect binding updates, administrative mistakes, and tool/IDE updates might overwrite changes. Carefully script or document your binding edits. (techcommunity.microsoft.com)
- Removing client-cert requirements from local configs undermines the fidelity of local testing. That can allow regressions (for instance, accidentally shipping code that assumes client certs will always be present). Only use this with strict guardrails — e.g., environment-specific configuration flags and CI gates. (techcommunity.microsoft.com)
- Long-term risk: relying on post‑handshake behavior relies on broader ecosystem adoption (clients, browsers) of RFC 8446’s post_handshake_auth semantics. RFC 8740 and the browser landscape indicate that HTTP/2 and web browsers have limited appetite for post‑handshake CertificateRequest usage, which reduces the odds that a universal fix will arrive quickly. This is a standards and interoperability problem, not just a Windows bug. (datatracker.ietf.org) (ietf.org)
Practical guidance — what to do now (prioritized)
- Identify every development and test flow that uses client certificates (IIS Express, integration tests, CI runners). Inventory the precise bindings and ports used by Visual Studio, Docker, or other dev hosts.
- If you need quick relief on a single workstation, reconfigure the affected binding using
netsh http add ssl … clientcertnegotiation=Enablerather than disabling TLS 1.3 globally. Document the change and script it for reproducibility. (techcommunity.microsoft.com) - For CI pipelines and automated tests, move TLS termination to a containerized reverse proxy or test harness you control (Kestrel, Nginx) so you can negotiate client certs in the initial handshake.
- Avoid permanent code changes that bypass client-cert checks in production. Use environment flags to isolate dev-only behavior.
- For production servers that must require mTLS with TLS 1.3, deploy to platforms where you can control http.sys or use load-balancers / TLS terminators that offer initial-client-cert negotiation; full IIS on newer server builds exposes the binding option you need. (techcommunity.microsoft.com)
Broader context: Windows 11’s security posture and the paradox of “missing” features
Windows 11 ships with a raised security baseline — TPM 2.0, Secure Boot, virtualization-based protections — and Microsoft has emphasized hardware-based security and stronger defaults in recent releases. Yet this TLS/IIS Express issue shows that raising baseline security in one layer (forcing TLS 1.3 by default) can reveal architectural mismatches elsewhere in the stack that break legitimate, widely-used workflows (developer testing, certificate-based authentication). WindowsForum community discussions reflect the tension between “secure by default” and compatibility for enterprise and developer tooling; administrators need to weigh the operational consequences of changing protocol defaults.What Microsoft could (and should) do
- Provide an officially supported, documented workflow or tooling in Visual Studio / IIS Express that ensures http.sys bindings created for local development are configured with clientcertnegotiation if the project needs mTLS. That would reduce the fragility of manual netsh edits and keep TLS 1.3 enabled. The Microsoft IIS team’s blog post describes the root cause and possible fixes, but the missing convenience path for IIS Express is the core pain point for developers. (techcommunity.microsoft.com)
- Coordinate ecosystem guidance with browser vendors and reverse-proxy maintainers on whether and when post‑handshake client auth will be broadly supported, or provide a de‑facto “initial-certificate negotiation” extension for common app stacks. Standards alignment would ease long-term integration. RFC-level constraints and HTTP/2 rules complicate this, so multi‑vendor coordination is essential. (datatracker.ietf.org) (ietf.org)
- Offer an official Visual Studio / IIS Express patch or an opt-in configuration that persists across updates, which avoids the hacks and brittle netsh edits currently required.
Final assessment — strengths, risks, and the takeaway for IT pros
- Strengths: The issue is well‑documented, reproducible, and Microsoft and community spokespeople have provided clear workarounds and a technical explanation. The vendor has already fixed the full IIS/http.sys binding model in newer server releases, showing the pathway to a durable solution for production servers. (techcommunity.microsoft.com)
- Risks: The recommended “fast” fixes either reduce security (disabling TLS 1.3) or introduce operational fragility (manual netsh binding edits overwritten by tooling). The larger ecosystem (browsers, HTTP/2) does not uniformly support the TLS 1.3 post‑handshake certificate flows that would let IIS/IIS Express behave like they did under renegotiation. This makes a clean, backward‑compatible fix for IIS Express unlikely unless tooling is changed. (datatracker.ietf.org) (ietf.org)
- Takeaway: Treat the current state as a compatibility gap, not a security bug in isolation. If you rely on mTLS in development or production, adopt one of the supported workarounds: enable explicit client-certificate negotiation on the binding (preferable), move TLS termination to a controllable test proxy, or isolate the environment where TLS 1.3 is temporarily disabled — and document those choices. Continuously monitor Microsoft’s IIS support channels for any updates to IIS Express or Visual Studio that might introduce persistent, supported binding options. (techcommunity.microsoft.com) (windowsreport.com)
Windows developers and administrators should plan for a short-term maintenance burden: implement a reproducible workaround in your test and CI environments, update runbooks to avoid accidental TLS regressions, and prefer solutions that preserve TLS 1.3 where possible. The interoperability problem at the heart of this issue is rooted in protocol design and ecosystem adoption — it’s solvable, but it requires coordinated fixes across clients, servers, and tooling rather than a single one-line patch. (datatracker.ietf.org) (techcommunity.microsoft.com)
Source: Techzine Global An important internet security feature will remain missing in Windows 11
Source: Windows Report Microsoft confirms TLS 1.3 breaks IIS Express client certificate handling on Windows 11