Microsoft confirms TLS 1.3 breaks IIS Express client certificate handling on Windows 11

Workarounds available, but there's no official fix yet

News
Rishaj Upadhyay
Rishaj Upadhyay Shield
News Editor
News
Reading time icon 2 min. read

Calendar icon Published on

windows 11 24H2 support

A Microsoft engineer has confirmed that TLS 1.3’s default use in Windows 11 is causing compatibility problems for IIS Express when working with client certificates. The issue, which also affects full IIS under some conditions, stems from TLS 1.3’s lack of support for a feature called renegotiation.

That’s not all; renegotiation allowed servers on TLS 1.2 and earlier to request a client certificate partway through an encrypted session. Unfortunately, without it, IIS Express cannot validate client certificates unless they are requested during the initial TLS handshake. Since IIS Express depends on Windows’ http.sys driver for handling TLS, it gets control too late to intervene.

Well, the change impacts developers’ testing projects that rely on mutual TLS (mTLS). On older Windows 11 builds and Server 2022, the browser simply resets the connection. Whereas, on version 24H2 and Server 2025, IIS responds with a 500.0 Internal Server Error and error code 0x80070032, which translates to not supported.

Microsoft has not announced a permanent fix for IIS Express, and it’s unclear if it will roll out one in the future. For now, developer Matt Hamrick suggests three possible workarounds:

  • First, you need to disable inbound TLS 1.3 via registry edits. This forces Windows to use TLS 1.2 for local server sessions.
  • If the above workaround doesn’t work, simply modify http.sys bindings with netsh, so certificates are requested during the initial handshake.
  • If nothing works, remove client certificate requirements from the IIS Express configuration file if possible.

Besides these steps, Hamrick warns that some methods may require administrative privileges or could be reset during Visual Studio updates. Worth noting that full IIS on Windows Server 2025 already includes a Negotiate Client Certificate option for site bindings, giving administrators more control.

IIS Express, however, lacks that flexibility because its bindings are preconfigured by Visual Studio, limiting direct management. That’s not all; most web browsers do not yet support the TLS 1.3 extension for post-handshake authentication, meaning the problem is as much about client support as it is about server settings.

As of now, Microsoft hasn’t detailed whether IIS Express will receive a proper fix. Hamrick himself wrote that he is “not sure if there will be a fix and what it will look like if there is.” For now, developers building on IIS Express must rely on workarounds or adjust their configurations.

More about the topics: 24h2, Windows 11

Rishaj Upadhyay

Rishaj Upadhyay Shield

News Editor

Rishaj is a tech writer who has been writing professionally for over four years, with a passion for Android, Windows, and all things tech. He initially joined Windows Report as a tech journalist and is now taking over as a news editor. When he's not breaking the keyboard, you can find him cooking, or listening to music/podcasts.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages