The Windows Phone 8.1 Company Portal app uses an OS component that's named the Web Authentication Broker (WAB). This component handles delegated Web login attempts. When AD FS on-premises device registration is enabled, it modifies the AD FS global authentication policy to optionally support device authentication. This, in turn, causes authentication attempts to request client certificates. Because the WAB does not support client certificate authentication, the Web login redirects to the AD FS server, and the WAB cancels the login attempt with a “user canceled” error.