In general, you have to use one method of authentication for all users in the portal. Client certificates are the only exception to this rule. They can be used in addition to another authentication method. This means that users that have a client certificate use it to log on whereas other users have to provide credentials in a different way.

To configure the portal to use digital certificates in addition to another authentication method, you configure the Microsoft Internet Information Server (IIS) to work in basic authentication (native NT or LDAP authentication) or NTLM. In addition you can specify in IIS if this Web site accepts/requires client certificates.

The flow in the server is as follows:

If client certificates are enabled and the user's browser provides a certificate in the request, the Portal Server tries to use the certificate. If it succeeds, the user is authenticated. If the user did not provide a certificate or the information in the certificate is either invalid or insufficient, then IIS initiates whichever other authentication method it was configured to use.