Web Access with one to one certificate authentication

Hi

Using 2012R2 with all RDS roles on one xox (test purpose).

I have configured the RD web access and gateway, so its possible from the internet to access the server through https.https://server.domain/RDWeb I have a thrusted 3.part wildcard certificate on the domain and it works fine.

What I want is to protect the https://server.domain/RDWeb to require a client SSL certificate (selfsigned). I tried to add this to the website and are asked for certificate, but get a runtime error in the browser and from the eventlog on the server:

Event code: 3005
Event message: An unhandled exception has occurred.

Process information:
    Process ID: 1272
    Process name: w3wp.exe
    Account name: IIS APPPOOL\RDWebAccess

Exception information:
    Exception type: NullReferenceException
    Exception message: Object reference not set to an instance of an object.
   at Microsoft.TerminalServices.Publishing.Portal.RWSCPubAndTsAccessor.GetApplications(String strSid, Boolean onlyShowAvailableByDefaultResources, AppInfo[]& apps, AppInfo[]& desktops)
   at Microsoft.TerminalServices.Publishing.Portal.RapWebService.GetRemoteApps(String strUserIdentity, Boolean onlyShowAvailableByDefaultResources)
   at Microsoft.TerminalServices.Publishing.Portal.WebFeed.GetDataForFeed(String userIdentity, String folderName, Dictionary`2& resource_list, Dictionary`2& ts_list, List`1& folders, Boolean& supportsReconnect)
   at Microsoft.TerminalServices.Publishing.Portal.WebFeed.GenerateFeed(String userIdentity, FeedXmlVersion xmlVersion, String folderPath, Boolean writeXmlDecl)
   at ASP.en_us_default_aspx.Page_PreInit(Object sender, EventArgs e)
   at System.Web.UI.Page.OnPreInit(EventArgs e)
   at System.Web.UI.Page.PerformPreInit()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)



Thread information:
    Thread ID: 25
    Thread account name: IIS APPPOOL\RDWebAccess
    Is impersonating: False
    Stack trace:    at Microsoft.TerminalServices.Publishing.Portal.RWSCPubAndTsAccessor.GetApplications(String strSid, Boolean onlyShowAvailableByDefaultResources, AppInfo[]& apps, AppInfo[]& desktops)
   at Microsoft.TerminalServices.Publishing.Portal.RapWebService.GetRemoteApps(String strUserIdentity, Boolean onlyShowAvailableByDefaultResources)
   at Microsoft.TerminalServices.Publishing.Portal.WebFeed.GetDataForFeed(String userIdentity, String folderName, Dictionary`2& resource_list, Dictionary`2& ts_list, List`1& folders, Boolean& supportsReconnect)
   at Microsoft.TerminalServices.Publishing.Portal.WebFeed.GenerateFeed(String userIdentity, FeedXmlVersion xmlVersion, String folderPath, Boolean writeXmlDecl)
   at ASP.en_us_default_aspx.Page_PreInit(Object sender, EventArgs e)
   at System.Web.UI.Page.OnPreInit(EventArgs e)
   at System.Web.UI.Page.PerformPreInit()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

If I change the APPpool from Integrated to Classic pipeline I'm able to get to the web form where I can enter username/password but I just get "The user name or password that you entered is not valid. Try typing it again."

So how is it possible to get it all combined so we require a client certificate to be able see the RD webaccess and preferable get SSO as well? I'm able to get it work on seperate sites, but not combined.

Thanks

Kim