ADFS 2.1 User Certificate Authentication and/or Device Registration Authentication Fails with Server 2012 R2

Problem:             Using Certificate Authentication or Device Registration with ADFS on Server 2012 R2 fails when published externally.  Internally it works, externally it fails.

Cause:                  Changes were made in ADFS on Windows Server 2012 R2 to support Device registration.  These same changes apply certificate authentication, where the client (machine and / or web browser) initiates a TCP connection to the ADFS or WAP server on destination port 49443.  This design change is documented here:

Solution:             On your external Firewall, in addition to TCP port 443, publish TCP port 49443 for ADFS or the WAP (preferred method).