Remote Desktop Services weird cert issue

We built a new remote desktop services server just recently. We are very happy with it except for one strange issue. When one of our domain joined laptops launches the login page from either IE or Chrome, a certificate windows pops up asking to use one of our sub-ca certs to login. If I say yes, it gives me a login failure and an IIS screen pops up. If I say no, the cert screen goes away and continues to the correct login page. Its almost as if the site initially once to use the cert for authentication when it should not. Any ideas?

Built on Server 2016
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk KotteSECommented:
if you enable certificate based logon to RDS server your Client present you all possible certificates at the PC.
Now you should select the correct cert for logon.
But you should see certificates with private key from the client only .
So you should not see the "sub-ca certs" at the client.
sbodnarAuthor Commented:
I have the  following settings enabled:

Under security layer I selected Negotiate - I can also select RDP Security Layer or SSL (TLS 1.0)

Under encryption level I have selected Client Compatible. I can also select Low, High, FIPS Compliant.

See screenshot attached.
Dirk KotteSECommented:
"security layer - Negotiate" lets you use username/password or certificate if available ... i think
So the certificates stored at your PC are presented first.
Check the certificate store "own certificates"  for user and machine. there should not exist an sub-ca certificate.
Only user-certificates or certs for the local host you should see here.
sbodnarAuthor Commented:
Found the issue, it was a setting in IIS. Client certificates was set to accept on IIS instead of ignore. Set it to ignore and the prompt went away.

Thank you for your input.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.