We have set up an AD FS Farm (1 server) on our internal network behind our internal F5 appliance. Additionaly we have set up a Web Proxy (1 server) in our DMZ network and load balanced it behind our DMZ.
Internally we can authenticate devices based on Forms Based Authentication (FBA), Windows Integrated Authentication (WIA), Certificate Authentication (CA), FBA + CA and WIA and CA.
Externally we can authenticate devices based on Forms Based Authentication (FBA), Certificate Authentication (CA), and FBA + CA as long as the request is coming from a company laptop.
If we use a iOS device we are only able to authenticate using FBA. If we choose CA as the only option for external devices it fails. It will get as far as the sign-on screen, show a message (see below) and spin attempting to load it for ~2minutes before failing. The iOS device has a valid certificate and is in fact using the same certificate that was used on an external company laptop to validate that it worked there. The installed certificate contains the private key and was delievered to the device via email.
Does anyone have any experience with this type of issue or configuration?