The IP:port binding takes the highest precedence. If an IP:port binding is in the AD FS SSL certificate bindings, http.sys always uses the certificate for the binding for SSL communication. To solve this problem, use the following methods.
Method 1: Remove the IP:port binding
Be aware that the IP:port binding may come back after you removed it. For example, an application configured with this IP:port binding may automatically recreate it on the next service start-up.
Method 2: Use another IP address for AD FS SSL communication
If the IP:port binding is required, resolve the ADFS service FQDN to another IP address that is not used in any bindings. That way, http.sys will use the Hostname:port binding for SSL communication.
Method 3: Set AdfsTrustedDevices as the CTL Store for the IP:port binding
This is the last resort if you can’t use the methods above. But it is better to understand the following conditions before you change the default CTL store to AdfsTrustedDevices:
Why the IP:port binding is there.
If the binding relies on the default CTL store for client certificate authentication.
Is the problem solved?