You are repeatedly prompted for credentials when you access intranet sources by using certification-based SSO in Windows

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

This article describes an issue that occurs when you access intranet sources in Windows 8.1, Windows RT 8.1, or Windows Server 2012 R2.A hotfix is available to resolve this issue. The hotfix has a prerequisite. Additional steps of configuration are required to enable this hotfix after installation.


This issue occurs when you connect a non-domain joined computer to a domain network through Wi-Fi.

Note SSO means Single Sign-On.


Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.


To apply this update, you must have update 2919355 installed in Windows 8.1 or Windows Server 2012 R2.

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Additional steps to let the resolution work

The server must meet the following requirements:
  • A Windows smart card-based strong authentication in enterprise is deployed. See the deployment guidance for Windows smart cards.
  • Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol (PEAP) together with EAP-TLS, or Extensible Authentication Protocol- Tunneled Transport Layer Security (EAP-TTLS) together with EAP-TLS is configured for wireless connectivity authentication.
Additionally, you must enable the SSO feature in Registry Editor.

To do this, follow these steps:

Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
  1. In Registry Editor, locate and then click the following registry subkey:

  2. Right-click Configuration, click New, and then click DWORD (32-bit) Value.
  3. Name the new registry entry as EnableUsrCertStoring.
  4. Double-click the EnableUsrCertStoring registry entry.
  5. In the Edit DWORD Value dialog box, type 1 in the Value data field, and then click OK.
  6. Exit Registry Editor.
Note You may be unable to access intranet resources through non-domain joined computers if the SSO feature is enabled without setting up the required server topology.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


See the terminology that Microsoft uses to describe software updates.