When accessing the SMP Console we are getting a prompt to select a certificate.  If the prompt is canceled, the normal NTLM logon prompt appears.  This happens each time we start a new session. It lists whatever “client authentication” certificates are present on the machine, in the current user’s Personal > Certificates folder.

This happens on Firefox, Chrome, IE, etc., for all users.

Negotiate Client Certificate is Enabled in netsh

8.x

“netsh http show sslcert” on the NS produced:

IP:port                      : 0.0.0.0:443
Negotiate Client Certificate : Enabled

IP:port                      : 0.0.0.0:4726
Negotiate Client Certificate : Enabled

If that shows as Enabled, run these commands to remove the bindings in IIS:

netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=0.0.0.0:4726

Go into IIS Manager and re-bind 443 and 4726 to * (any IP) with the appropriate Certificate.

Then run “netsh http show sslcert” again and validate that Negotiate Client Certificate is now Disabled:

IP:port                      : 0.0.0.0:443
Negotiate Client Certificate : Disabled

IP:port                      : 0.0.0.0:4726
Negotiate Client Certificate : Disabled

Additional details may be found here:

https://serverfault.com/questions/129441/iis-requesting-certificates-even-though-set-to-ignore

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate