New to the topic I'm somewhat confused and would really need some guidance.
I understand that to support client certificates the "CertificateAuthentication" Authentication Provider needs to be enabled (in the intranet or extranet) on the authentication policy.
In the examples I found, I see certificate authentication specified after FBA. What happens if certificate authentication is specified as first and FBA as second? Does fallback to FBA work in case a user does not have a certificate (is a link to FBA displayed?)?
Is transparent SSO (no user interaction) possible via client certificates (for example if only a single certificate is available) or is transparent SSO only possible with IWA for domain joined clients and using appropriate web browsers?
Is port 49443 to be opened on both WAP servers and internal ADFS servers to support client certificate authentication?
Sorry for the numerous and somewhat scattered questions, I'm missing lots of details here and there.