Your company's ad could live here and reach over 50,000 people a month!

Share This Post

ADFS 2.0 Client Certificate Authentication

Hi all,

Here is how you can enable Client Certificate Authentication for Passive Authentication.

In my case, I have a Microsoft AD Certification Service deployed. User have a Personal Certificate (User Authentication) with a private in the user certificate personal store.

On the ADFS Server, open the web.config file in inetpub\adfs\ls and looks for the microsoft.identityserver.web section. Put the LocalAuthenticationTypes in the following order :


The <add name=”TlsClient” page=”auth/ssl/client/”/> must be the first authentication type.

In IIS, you can disable all the other authentication method, except Anonymous. So, non authenticated user that have a valid client certificate can access the passive federation service. This is for example very useful to authenticate users on a mobile device without to request the user credentials.

If you have a look at the claims value in the SAML token, you can check that the authentication method is tlsclient :


Share This Post

Leave a Reply