This error "Client auth certificate not found" is observed in both same domain and cross domain KCD configurations on the SEG Servers verbosed Web Listener log files. Information on how to gather Web Listener logs can be found here.
This error can be caused by the following reasons:
1. A component in front of the SEG server is consuming the SSL certificate
2. Active Directory client certificate mapping authentication is not enabled on the SEG Server
1. Add the role service "Client Certificate Mapping Authentication" through Server Manager on the SEG server.
2. Confirm that there is no component before the SEG Server that is consuming the SSL certificate. Wireshark can be used on the SEG server to confirm if the certificate is still present in the request when it reaches the SEG server.
Note: SSL offloading or SSL bridging is not supported while doing KCD