RE: Client certificate authentication

Hi Jewett,

Can you tell me what version of OS you are experiencing this problem? And
what type of security protocol you are using with SSPI, SSL or kerberos?

I assume you mean the AcceptSecurityContext() does not return

This problem looks like the symptom talked about in the link below, can you
check if they are the same problems?
"SSPI Mutual Authentication Is Indicated on the Client Side But Not on the
Server Side"

I have seen an known issue of AcceptSecurityContext() not return
ASC_REQ_MUTUAL_AUTH when using SSPI with SSL(Schannel). Below is some
details information:

The AcceptSecurityContext function will return ASC_RET_MUTUAL_AUTH if a
client certificate was received from the client and schannel was
successfully able to map the certificate to a user account in AD. This is
the mandatory requirement for Schannel mutual authentication design.

Mapping Certificates requirement is documented in "Authenticating the
client" at:

Windows Schannel implementation will attempt to map the certificate to a
user account in AD in order for AcceptSecurityContext() to return
ASC_RET_MUTUAL_AUTH. This is performed so that the server can perform
authorization decisions based on the impersonation access token.

The Certificate Mapping process is documented at:

Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation. This step is required for AcceptSecurityContext to

However, this is really not required, if you want to simply check/validate
the client authentication certificate in the server code. But,
AcceptSecurityContext() will not return ASC_RET_MUTUAL_AUTH unless schannel
was successfully able to map the client authentication certificate to a
user account in AD. This is the mandatory requirement for Schannel mutual
authentication design on the server side.

I will wait for your further feedback and information. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
Get notification to my posts through email? Please refer to

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
This posting is provided "AS IS" with no warranties, and confers no rights.