Can client reject Fiddler certificate?

[Barry Page]

I am trying to use Fiddler to capture traffic from the Dynamics 365 App from Microsoft windows store. The app is running on the same Windows 10 machine as Fiddler. The app doesn’t get passed the login screen when Fiddler is running. If I close Fiddler, then the app works fine.

I think the issue is that the app does not like Fiddler’s generated certificate. I am seeing A call to SSPI failed, see inner exception errors in the Fiddler Log. I already added Fiddler Root certificate as Trusted Root on the machine. 

Is there any way to troubleshoot these types of issues? Or is the app expecting a certificate that Fiddler can’t generate?

Thanks

[EricLaw]

There are a few possibilities. 

Yes, it's possible for a Windows 10 application to use Certificate Pinning, in which case having Fiddler's root in the Windows Trusted Root store is insufficient and the app will not trust it. I talk a bit about certificate pinning here: http://fiddler.wikidot.com/certpinning

Another possibility is that you're having a problem with the Extended Protection feature of Windows Integrated Authentication. Try ticking the "Automatically Authenticate" checkbox on Fiddler's rules menu before loading the app and see if there's any change.