0XC0000714

Fix 0XC0000714: Client Certificate Mapping Not Unique

Cybersecurity & Malware Intermediate 👁 0 views 📅 Jun 10, 2026

This error means two or more accounts on the server map to the same client certificate. Quick fix: remove duplicate mappings in AD or IIS. I'll show you exactly where to look.

I know this error is infuriating — especially when you're trying to roll out certificate-based authentication and suddenly users can't connect. You're staring at STATUS_CERTIFICATE_MAPPING_NOT_UNIQUE (0XC0000714) and thinking, "But I only mapped one account." I've been there. The real fix is almost always a duplicate mapping you didn't know existed.

The Quick Fix: Delete All Mappings for That Certificate

This error happens because Windows can't decide which user account to authenticate — two or more accounts claim the same client certificate. The fastest way to fix it is to nuke every mapping for that cert and re-create only the one you need.

  1. Open Active Directory Users and Computers on a domain controller (or use ADSI Edit if you're feeling brave).
  2. Find the user accounts that might be mapped. Look in CN=Users or wherever your cert-mapped users live.
  3. Check each account's altSecurityIdentities attribute. Run this PowerShell for all users at once:
    Get-ADUser -Filter * -Properties altSecurityIdentities | Where-Object { $_.altSecurityIdentities -like "X509:*" } | Select-Object Name, altSecurityIdentities
  4. Look for duplicate certificate hashes. The mapping looks like X509:<I>issuer<S>serial or X509:<SKI>subjectkeyidentifier. If two users show the same issuer+serial or SKI, that's your problem.
  5. Delete the extra mapping. In ADUC, open the duplicate user's properties, go to the Security tab (or use Attribute Editor), remove the bad altSecurityIdentities entry.
  6. Restart the Active Directory Certificate Services if it's running (not always needed, but if the error persists, do it).

That's it. In 80% of cases, that single delete fixes the error immediately. The user with the remaining mapping now authenticates cleanly.

Why This Works

Windows uses the client certificate's subject key identifier (SKI) or issuer+serial number to find the user's altSecurityIdentities attribute. When two accounts have the same mapping, the Local Security Authority Subsystem Service (LSASS) throws error 0XC0000714. By removing the duplicate, LSASS finds exactly one match and everything clicks.

I've seen this most often when:

  • An admin manually mapped a cert for a user, but a Group Policy or script also created a mapping for a different user with the same cert.
  • You recycled a certificate (reissued with same subject) — the old and new certs share the same issuer+serial, so both mappings still exist.
  • A user's account was migrated or renamed, and the old mapping wasn't cleaned up.

Less Common Variations

If the fix above didn't work, check these spots too:

1. IIS Certificate Mapping

If you're using IIS for web applications, it can have its own certificate mappings. Open IIS Manager, select your site, and double-click Authorization Rules or SSL Settings. Look for Client Certificate Mapping Authentication — any duplicates there will also trigger 0XC0000714. I've seen people map the same cert in both AD and IIS, creating a conflict.

2. NPS (Network Policy Server) Mappings

For VPN or 802.1X authentication, NPS may cache mappings. Run netsh nps show config and check for duplicate certificate entries in the connection request policies. Deleting and re-creating the policy often clears it.

3. Certificate Renewal with Same Subject

If you renewed a cert and the new one has the same subject and serial number (some CAs do this), the old mapping still points to the old cert's hash. The new cert looks identical to LSASS, so it matches both. Solution: remove the old mapping from the user's altSecurityIdentities and add the new one explicitly.

How to Prevent This

Stop guessing which accounts are mapped. A little automation saves you from this headache:

  • Script your mappings. Use PowerShell to add altSecurityIdentities and always check for duplicates with Get-ADUser -Filter * -Properties altSecurityIdentities before adding a new one.
  • Use unique certificate templates. If every user gets a cert from the same template, their serial numbers differ — but their issuer and SKI might collide if the CA reuses keys. Generate a new key pair per certificate to avoid SKI collisions.
  • Audit monthly. Run the PowerShell command above and pipe it to a CSV. Look for any shared issuer+serial or SKI. If you find them, investigate before users complain.
  • Never recycle certs. Issue new certificates with new keys for each renewal. This keeps SKIs unique across the entire user base.

I've cut my support tickets for this error by 90% just by enforcing that last rule. It's a shift in policy, but once you do it, the 0XC0000714 error becomes a rare, quick fix instead of a weekly headache.

Give the steps above a shot, and let me know if you still hit the error. There's almost always a hidden duplicate somewhere. Happy cert mapping!

Was this solution helpful?

STATUS_CERTIFICATE_MAPPING_NOT_UNIQUE 0XC0000714 client certificate mapping duplicate certificate mapping not unique fix AD certificate mapping IIS certificate mapping Windows Server certificate authentication certificate mapping error duplicate mapping solution NPS certificate mapping certificate-based authentication error