Browser not prompting for certificate - IIS 10.0

I have an application that was working fine in IIS 8.5 which used this setting in the web.config file for a client certificate login (smartcard) for a path. I had to migrate this application to IIS 10.0 and everything is working except the application does not prompt for the certificate and just simply throws an error in the code that there is no certificate.

I have double checked and triple checked all the settings in IIS, the certificate is the same, the SSL settings are the same. The application is a simple .netcore application and it works perfectly with the exception of the certificate prompt. Is there something that is different in IIS 10 than 8.5 that I could be missing. The portion of the web.config that enables the browser to prompt the certificate I believe is this part here. The developer who did this is not longer with us and I would appreciate any help for this. Is there something that I need to check in IIS other than what I have already checked?

I went through some other posts and made sure that the root and intermediary certificate are in the cert store etc. The app itself loads fine with the SSL certificate.

<location path="SmartCard">
<system.webServer>
  <security>
    <access sslFlags="Ssl,SslNegotiateCert" />
  </security>
</system.webServer>

All things being equal, it should work the same!

That's the key part though - perhaps not all things are equal above the level of the web.config? (or below - that web.config will apply only to a SmartCard folder which is part of the same HTTP URL path, based on that location tag)

Windows\System32\InetSrv\config\ApplicationHost.config tends to accrue things over time and people make server-level configuration changes they forget.

So, possible options:

• Check that there's a server certificate with private key installed and that the site bindings include HTTPS

  • I know you've mentioned using the site over SSL works - this should prove that

• Dump out the effective settings for the site from working server and compare with dumped settings for nonworking server

  • for bonus points, something like Web Deployment Tool might help with that
  • manual method:
    • APPCMD LIST CONFIG http://site/pathabovesmartcard/ /text:* >working.txt (on working server)
    • APPCMD LIST CONFIG http://site/pathabovesmartcard/ /text:* >NONworking.txt (on... you guessed it, the nonworking server!)
    • and then compare them with a text editor or a judicious eye
    • leave out /text:* if you prefer XML

• Add to that NETSH SHOW SERVICESTATE comparison from each for a quick review of HTTP.SYS queues

That's actually the expurgated version - you can also look at the complete contents of applicationhost.config unfiltered by site (and organized sensibly at first, then linearly with subsequent changes) in Windows\System32\InetSrv\Config, and that might be easier (or way harder).