<div>
Make sure you are not blocking port 49443: <a href="https://technet.microsoft.com/en-us/library/dn554247.aspx" rel="ugc">https://technet.microsoft.com/en-us/library/dn554247.aspx</a> 
 

<blockquote>
In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers).
</blockquote>
 
Also, there were some known issues with Firefox, in case you are using that try a different browser,
</div>

<div>
Port 49443 is already enabled inbound I've also tested that I can reach it with no problem over that port, so that isnt the case. I've also used Chrome, Edge and IE as far as browsers are concerned.
</div>

<div>
I should add that the lab is in Azure and I have the endpoint defined for 49443 to the web app proxy
</div>

<div>
Having it in Azure might be a problem, this means that you have a CNAME record for the AD FS FQDN and I'm not sure if certificate auth will work in such scenario.
</div>

<div>
Actually, Azure seems to be OK. I brought my AD FS VM in Azure Online and it seems to work fine. 
 
Have you checked the SSL bindings? Is 49443 listed there, is it associated with the AD FS app, does it have Negotiation enabled? Especially if you have changed the certificate in the past.
</div>

<div>
As far as I can tell when I do a get-adfsSslCertificate it shows the public cert sts.hostname.net bound to 49443 when you say is the negotiation enabled are you talking about if the endpoint is enabled for certificatemixed?
</div>

<div>
Negotiate Client Certificate is Enabled as well: 
Hostname:port &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: sts.hostname.net:49443 
Certificate Hash &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : removed 
Application ID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : {5d89a20c-beab-4389-9447-324788eb944a} 
Certificate Store Name &nbsp; &nbsp; &nbsp; : MY 
Verify Client Certificate Revocation : Enabled 
Verify Revocation Using Cached Client Certificate Only : Disabled 
Usage Check &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: Enabled 
Revocation Freshness Time &nbsp; &nbsp;: 0 
URL Retrieval Timeout &nbsp; &nbsp; &nbsp; &nbsp;: 0 
Ctl Identifier &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : (null) 
Ctl Store Name &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : (null) 
DS Mapper Usage &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: Disabled 
Negotiate Client Certificate : Enabled
</div>

<div>
Perhaps I spoke too soon, I seem to have it working at times only. IE in particular doesnt seem to display the certificate selector popup, or it automatically selects it (if only one cert is present). 
 
The setup above seems correct. You might need a binding for 0.0.0.0:49443 is you are using wildcard certificate in order to handle non-SNI capable clients, but that's another issue. 
 
I'm out of ideas. Check the Event logs, the AD FS admin one might give some clue. Other than that, Fiddler traces...
</div>

<div>
I did a fiddler trace and selected the user cert 
 
I got an error now: 
 
An error occurred 
Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information. 
 
Activity ID: 00000000-0000-0000-3900-0080000000e1 
Relying party: Microsoft Office 365 Identity Platform 
Error time: Fri, 15 Jan 2016 01:48:26 GMT 
Cookie: enabled 
User agent string: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 
 
In the correlating Event on the ADFS server: 
 
Encountered error during federation passive request. 
 
Additional Data 
 
Protocol Name: 
wsfed 
 
Relying Party: 
urn:federation:MicrosoftOnline 
 
Exception details: 
Microsoft.IdentityServer.AuthenticationFailedException: There is a problem with the X509Certificate provided by the client. The error code is: -2146762487 
&nbsp; &nbsp;at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request) 
&nbsp; &nbsp;at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) 
&nbsp; &nbsp;at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context) 
 
ADFS Audit Log: 
 
An HTTP request was received. 
 
Activity ID: 00000000-0000-0000-3900-0080000000e1 
 
Request Details: 
&nbsp; &nbsp; Date And Time: 2016-01-15 01:48:26 
&nbsp; &nbsp; Client IP: 10.1.0.37 
&nbsp; &nbsp; HTTP Method: POST 
&nbsp; &nbsp; Url Absolute Path: /adfs/ls/ 
&nbsp; &nbsp; Query string: ?lc=1033&amp;username=test.user%4hostname.net&amp;wa=wsignin1.0&amp;wtrealm=urn%3afederation%3aMicrosoftOnline&amp;wctx=estsredirect%3d2%26estsrequest%3drQIIAbNSzigpKSi20tcvyC8qSczRy09Ly0xO1UvOz9XLL0rPTAGxioS4BIp8he7ZcNr49Ncyizpc2lC4ilENp079nMS8lMy8dL3E4oKKC4yMXUwshgbGxpuYWH2dfZ08TzBNOCt3i0nQvyjdMyW82C01JbUosSQzP-8RE29ocWqRf15OZUh-dmreJGa-nPz0zLz44qK0-LSc_HKgAND4gsTkkviSzOTs1JJdzCpmlpYmJsaGJrrJiYbJuiZm5ka6lmlG5rppxqnJxqlJJmapaYkHWDaEXGAR-MHCuIvTljhn25ckFqWnltiqGqWlAE0ozSkBCwMA0&amp;popupui= 
&nbsp; &nbsp; Local Port: 49443 
&nbsp; &nbsp; Local IP: 10.1.0.55 
&nbsp; &nbsp; User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 
&nbsp; &nbsp; Content Length: 58 
&nbsp; &nbsp; Caller Identity: - 
&nbsp; &nbsp; Certificate Identity (if any): - 
&nbsp; &nbsp; Targeted relying party: - 
&nbsp; &nbsp; Through proxy: False 
&nbsp; &nbsp; Proxy DNS name: - 
 
 
So for whatever reason that cert gave me a deny, when i turn fiddler off it goes back to what it was doing normally which was nothing.
</div>

<div>
I do see it tunnel to sts.hostname.net:49443 i see the certificate info that is used for the user mapped. in the trace i do see this: 
 
div class=&quot;content-container&quot;&gt;&lt;fieldset&gt; 
&nbsp; &lt;h2&gt;403 - Forbidden: Access is denied.&lt;/h2&gt; 
&nbsp; &lt;h3&gt;You do not have permission to view this directory or page using the credentials that you supplied.&lt;/h3&gt; 
 
essentially without the cert loaded into fiddler i get: 
 
&nbsp; &lt;h2&gt;401 - Unauthorized: Access is denied due to invalid credentials.&lt;/h2&gt; 
&nbsp; &lt;h3&gt;You do not have permission to view this directory or page using the credentials that you supplied.&lt;/h3&gt; 
&nbsp;&lt;/fieldset&gt;&lt;/div&gt; 
 
so I'm guessing my certificate isnt set up correctly?
</div>

<div>
Either that or it's simply the CNAME that's causing issues. Or the fact that it's in Azure as a whole and might be subject to things like SSL offload, stateful packet inspection etc (pretty much what's described in this article, apart from the cname: <a href="https://support.microsoft.com/en-us/kb/2461628" rel="ugc">https://support.microsoft.com/en-us/kb/2461628</a>) 
 
I'll try asking around, but AD FS is covered by another expertise so I dont have direct access to the product group there. I guess you can open a support ticket to get a clear statement on this.
</div>

ADFSCertFix.png

<div>
<div class="content wysiwyg-content">
I currently have a lab one adfs server and one web app proxy. I can access adfs when i attempt to logon against portal.office.com. However when I swith to using Certificate Auth. the moment i select sign in using x.509 certificate the next page says &quot;Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again.&quot;However I do not get a screen to select my user certificate. Both servers have the root ca from my own AD CA. any ideas?
</div>
</div>

I currently have a lab one adfs server and one web app proxy. I can access adfs when i attempt to logon against portal.office.com. However when I swith to using Certificate Auth. the moment i select sign in using x.509 certificate the next page says "Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again."However I do not get a screen to select my user certificate. Both servers have the root ca from my own AD CA. any ideas?

ADFS Cert problem

Office 365 is a group of software plus services subscriptions that provides productivity software and related services to its subscribers. Office 365 allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft's cloud storage service OneDrive, and grants 60 Skype minutes per month. Office 365 includes e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software. All of Office 365's components can be managed and configured through an online portal; users can be added manually, imported from a CSV file, or Office 365 can be set up for single sign-on with a local Active Directory using Active Directory Federation Services.

Microsoft 365

Microsoft Azure is a cloud computing platform and infrastructure for building, deploying and managing applications and services through datacenters. It provides both platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems. Cloud Services is a PaaS environment and can be used to create scalable applications and services; there are specific software development kits (SDKs) provided by Microsoft for Python, Java, Node.js and .NET. Azure also has file and storage services, data management, analytics and DNS services.