In Windows Server 2012 R2 ADFS, the client certificate authentication is using a separate TLS tunnel for the authentication. This tunnel is using the port 49443 (that you will need to open between the clients and the ADFS farm and between the external clients and
the WAP farm -if used). This might be an issues for two reasons:
- Certain user agents (browsers) do not support TLS authentication.
- The alternate port might not be open in public network (WiFi hotspot or guest WiFi).
Windows Server 2016 ADFS solve this by using an
alternate protocol and port for the certificate authentication.
You could have both FBA and certificate authentication, and the user could chose for one. There is no fallback like there is for WIA to FBA if the browser doesn't supports it.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.