IIS Internal Server Error 500 when client certificates enabled
Scenario:
- AWS hosted EC2
- Machine running IIS directly.
- Default inetpub/wwwroot setup
- Installed self-signed certs to enable HTTPS.
- Open browser to localhost - OK.
- Open browser to https://localhost - Ok (but warning of unsecure SSL cert but works for test purposes and resolves request).
- Go back to default website settings and pick SSL settings.
- Change option to ACCEPT Client Certificates (default is ignore).
- Open browser to localhost - OK.
- Open browser to https://localhost - FAIL -

Internal Server Error with code 0x80070032
From this error, I found MS Error info:
Description of HRESULT ISAPI filter drive:\FilePath\ISAPI_FLT.dll tried to register for SF_NOTIFY_READ_RAW_DATA notification.
I need to authenticate users and provide secure ID card information, but why fail out-the-gate even with the default IIS and nothing I am doing special otherwise?
Will eventually be running C# MVC Razor pages / Kestrel, but cant even get this basic component going before putting in anything else.
Top Answer/Comment:
You’re hitting this because simply switching IIS to “Accept client certificates” isn’t enough — IIS will attempt to negotiate a client certificate during the TLS handshake, but your HTTPS binding is using a self-signed server cert with no client-trust chain and no client cert installed/mapped. The handshake fails before IIS can serve the default page, so you see 0x80070032 at BeginRequest.
To get mTLS working locally:
- Create a test CA + server cert + client cert (not just a single self-signed cert).
- Install the client cert in your browser's personal certificate store.
- Install the root CA into Trusted Root Certification Authorities on the server.
- IIS → SSL Settings:
Require SSL (once working)
Client Certificates → Accept (or Require, after validation)
- If you're doing mapping: enable Client Certificate Mapping Authentication under Authentication in IIS.
- Restart IIS.
For local testing, PowerShell New-SelfSignedCertificate works, but you need to generate a chain (root → server → client).
If you run into issues generating the cert chain or mapping client certs, this might help you:
https://learn.microsoft.com/iis/manage/configuring-security/configure-client-certificate-mapping-authentication
상단 광고의 [X] 버튼을 누르면 내용이 보입니다