A Microsoft engineer has confirmed that the implementation of TLS 1.3 in Windows 11 is leading to compatibility issues with IIS Express when it comes to handling client certificates. This problem, which can also affect the full IIS under certain conditions, arises due to TLS 1.3’s exclusion of a feature called renegotiation.
Previously, renegotiation allowed servers using TLS 1.2 or earlier to request a client certificate during an active encrypted session. However, the absence of this feature means that IIS Express cannot authenticate client certificates unless they are requested at the start of the TLS handshake. Since IIS Express utilizes the Windows http.sys driver for TLS handling, it only gains control too late to make any necessary interventions.
This change impacts developers who rely on mutual TLS (mTLS) for testing projects. In older Windows 11 builds and on Server 2022, the connection is simply reset by the browser. In contrast, on version 24H2 and Server 2025, IIS will respond with a 500.0 Internal Server Error and the error code 0x80070032, indicating a lack of support.
Currently, Microsoft has not provided a permanent resolution for IIS Express, and it remains uncertain whether one will be made available in the future. Developer Matt Hamrick has proposed three potential workarounds:
- Disable inbound TLS 1.3 through registry edits to ensure Windows defaults to using TLS 1.2 for local server sessions.
- Modify http.sys bindings using netsh, which allows for client certificate requests during the initial handshake.
- If the above options fail, consider removing the requirement for client certificates from the IIS Express configuration file.
It’s important to note that some of these solutions may necessitate administrative permissions or could revert following updates to Visual Studio. Additionally, IIS on Windows Server 2025 does feature a Negotiate Client Certificate option, thus providing greater flexibility to administrators compared to IIS Express, whose bindings are preset by Visual Studio, limiting management capabilities.
Moreover, many web browsers are yet to adopt the TLS 1.3 extension for post-handshake authentication, compounding the problem with client support factors. As it stands, Microsoft has not indicated whether a definitive fix for IIS Express will be forthcoming, and Hamrick expressed uncertainty about a solution’s availability and form.
For additional insights, refer to the discussions on TLS 1.3 compatibility issues and the meaning of error code 0x80070032.