(I tried this over a year ago using an older (than 4.0; I don't recall exactly which) version of the .NET framework. The non-browser downloader wasn't capable (to my knowledge) of negotiating the client certificate requirement. I'm considering ClickOnce for another deployment now, with .NET 4.0, and I don't have the resources to experiment again. Hence, this question...)
I'm trying to deploy a .NET application with ClickOnce (using .NET 4.0).
The only website I have available for hosting the ClickOnce files is (and must be) protected by a client certificate which requires the user to enter a PIN when they hit the site.
My understanding (which may be wrong) is that the ClickOnce install experience hits my site first w/ the user's browser to download a subset of the application's files and then additionally w/ a smaller application (that's part of the .NET framework install on a workstation) which downloads the remainder of the files necessary to run my application.
This second, smaller application which downloads files, is it able to download files from a site which requires the user to provide a client certificate and its PIN when it (the downloader application) hits the site?
I think this will be a problem. It's possible if the user is using IE that it'll reuse a saved session, but I wouldn't count on it and haven't tested it.
You can always have the link to the app.manifest file on the protected site, but host actually click-once files on a separate server. We host ours in Amazon S3 actually. That should be OK if you have authentication in your app that goes back through your secure site and the important data lives behind the secure area of your site.
One quick way to know if the Click-Once call with ask for the pin is just to try it.