Kestrel Https certificate identified by appsettings.json only found when running in admin mode

I'm using appsettings.json to configure Kestrel in a .netcore3.1 app. Here's the relevant bits from appsettings.json

    "Kestrel": {
    "Certificates": {
      "Default": {
        "Subject": "certificate name",
        "Store": "MY",
        "Location": "LocalMachine",
        "AllowInvalid": true
      }
    }
  },
  "AllowedHosts": "*",
  "Urls": "http://*:5010;https://*:5011"

If I start the application it comes up on both ports. However, accessing it through HTTPS gets this exception dumped to the console of my app

Microsoft.AspNetCore.Server.Kestrel[0] Unhandled exception while processing 0HLT41KHBJ13T. System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)

However, if I start the application with administrative permissions, it works. So, the cert is fine (it has the required private key), but things still don't work. Just for the fun of it, I imported the certificate into the LocalUser store where the app should most definitely have access to even without admin privileges, but no joy.

Any ideas what could make this fail if not running with administrative permissions? The cert as you can see is in the certificate store, not in the file system, which rules out file permission issues.

Just a head up on this; users need permission to read certificates too, just like reading a file. Typically, SYSTEM account has read permission by default, but a developer will not have read permission to certificates in the local machine store unless they are a member of a privileged group that does.

You can go into the certificate store and add the permissions.

Open the store, right click the certificate. Select "All Tasks" | "Manage Private Keys" and add the users read permission, just like adding file permissions in Explorer. You could also create a Developer group and grant and revoke permissions to developer certificates that way, only managing the certificate permissions directly, once.