You may already know that ADFS 3.0 (on Windows Server 2012 R2) already supports certificate authentication BUT using a different communication port than 443 (in fact 49443).

With ADFS 4.0 (on Windows Server 2016), the certificate authentication can now use the 443 communication port, making thing easier to implement multi factor authentication using user certificate.

To be take advantage of this new capability, you need to update your ADFS certificate to include the following hostname certauth.<your ADFS URL> – like if your ADFS URL is If the certificate does not include this additional hostname, ADFS Certificate Based Authentication will continue to use 49443 port.

Off course, you will have to publish this additional URL (certauth.<your ADFS URL>) on your firwall.

Also reminder you still need to include the enteprisregistration hostname too if you plan to enable Device Registration.