You have Active Directory Federation Services (AD FS) security token service (STS) servers that are running Windows Server 2012 R2 together with AD FS proxy servers that are configured.
The AD FS STS servers and AD FS proxy servers are in a network load balancing (NLB) cluster.
In this scenario, authentication failures intermittently occur for users who use client certificate authentication. Additionally, the following event is logged in the AD FS proxy server admin event log:
Log Name: AD FS/Admin Source: AD FS Date: Date & Time Event ID: 422 Task Category: None Level: Error Keywords: AD FS User: User Computer: computer name Description: Unable to retrieve proxy configuration data from the Federation Service. Additional Data Trust Certificate Thumbprint: Trust Certificate Thumbprint Status Code: Unauthorized Exception details: System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()
This issue occurs because the Device Registration Service (DRS) is not deployed, or the DRS device object container (for example, CN=RegisteredDevices, DC=default-naming-context) does not have correct permission to the AD FS service account.
To resolve this issue, install update rollup 2962409. For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:
2962409 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: June 2014
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates