ADFS Cert problem

I currently have a lab one adfs server and one web app proxy. I can access adfs when i attempt to logon against However when I swith to using Certificate Auth. the moment i select sign in using x.509 certificate the next page says "Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again."However I do not get a screen to select my user certificate. Both servers have the root ca from my own AD CA. any ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Make sure you are not blocking port 49443:

In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers).

Also, there were some known issues with Firefox, in case you are using that try a different browser,
ntr2defAuthor Commented:
Port 49443 is already enabled inbound I've also tested that I can reach it with no problem over that port, so that isnt the case. I've also used Chrome, Edge and IE as far as browsers are concerned.
ntr2defAuthor Commented:
I should add that the lab is in Azure and I have the endpoint defined for 49443 to the web app proxy
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Vasil Michev (MVP)Commented:
Having it in Azure might be a problem, this means that you have a CNAME record for the AD FS FQDN and I'm not sure if certificate auth will work in such scenario.
Vasil Michev (MVP)Commented:
Actually, Azure seems to be OK. I brought my AD FS VM in Azure Online and it seems to work fine.

Have you checked the SSL bindings? Is 49443 listed there, is it associated with the AD FS app, does it have Negotiation enabled? Especially if you have changed the certificate in the past.
ntr2defAuthor Commented:
As far as I can tell when I do a get-adfsSslCertificate it shows the public cert bound to 49443 when you say is the negotiation enabled are you talking about if the endpoint is enabled for certificatemixed?
ntr2defAuthor Commented:
Negotiate Client Certificate is Enabled as well:
Hostname:port                :
Certificate Hash             : removed
Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name       : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Enabled
Vasil Michev (MVP)Commented:
Perhaps I spoke too soon, I seem to have it working at times only. IE in particular doesnt seem to display the certificate selector popup, or it automatically selects it (if only one cert is present).

The setup above seems correct. You might need a binding for is you are using wildcard certificate in order to handle non-SNI capable clients, but that's another issue.

I'm out of ideas. Check the Event logs, the AD FS admin one might give some clue. Other than that, Fiddler traces...
ntr2defAuthor Commented:
I did a fiddler trace and selected the user cert

I got an error now:

An error occurred
Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information.

Activity ID: 00000000-0000-0000-3900-0080000000e1
Relying party: Microsoft Office 365 Identity Platform
Error time: Fri, 15 Jan 2016 01:48:26 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36

In the correlating Event on the ADFS server:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: There is a problem with the X509Certificate provided by the client. The error code is: -2146762487
   at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

ADFS Audit Log:

An HTTP request was received.

Activity ID: 00000000-0000-0000-3900-0080000000e1

Request Details:
    Date And Time: 2016-01-15 01:48:26
    Client IP:
    HTTP Method: POST
    Url Absolute Path: /adfs/ls/
    Query string: ?lc=1033&
    Local Port: 49443
    Local IP:
    User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
    Content Length: 58
    Caller Identity: -
    Certificate Identity (if any): -
    Targeted relying party: -
    Through proxy: False
    Proxy DNS name: -

So for whatever reason that cert gave me a deny, when i turn fiddler off it goes back to what it was doing normally which was nothing.
ntr2defAuthor Commented:
I do see it tunnel to i see the certificate info that is used for the user mapped. in the trace i do see this:

div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

essentially without the cert loaded into fiddler i get:

  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

so I'm guessing my certificate isnt set up correctly?
Vasil Michev (MVP)Commented:
Either that or it's simply the CNAME that's causing issues. Or the fact that it's in Azure as a whole and might be subject to things like SSL offload, stateful packet inspection etc (pretty much what's described in this article, apart from the cname:

I'll try asking around, but AD FS is covered by another expertise so I dont have direct access to the product group there. I guess you can open a support ticket to get a clear statement on this.
ntr2defAuthor Commented:
So i figured it out. I built another lab fresh install. recreated everything the added the CA. Created a regular user Cert. Created a server cert for the adfs server and it was working. However it wasnt until i created a public cert did some testing and noticed the issue had re occurred. I thougth maybe i generated the csr wrong. I switched back to the server cert i requested from CA and the certificate prompt started working but when i switched it back to the Public Cert the issue reocurred. After about the 3rd Public Cert I recreated I noticed that the Public Cert had one Extra EKU the server didnt have which was Client Authentication. So once more i generated a CSR without the Client Auth. The public Cert still had the Client Auth added as part of the EKU. So I disabled it from the certs properties. Once I did that i was able to authenticate with the user certificate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ntr2defAuthor Commented:
I solved the issue myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.