When you add self-signed cert to the client, I am assuming this only happens win7, the non-priv user does not have permission to the c:\programdata\microsoft\crypto\rsa\machinekeys\of the cert. I had to add Authenticated Users with READ permission ...