Good afternoon. Yes, it is indeed possible. First, I would like to understand why we are talking about certificate authentication, there are easier and more beautiful ways to do end-to-end authentication, so why bother? If you still need certificates, then tell us about your infrastructure, is there a CA with a PKI structure on the network, will authentication take place on the local network?

There is a need to transparently launch non-domain clients located on the same network, so the first thing that came to mind was certificates (it is undesirable to give a login password from the domain, it is desirable to let the user access the app without his mental activity at all).
There is a certification authority, automatic issuance of certificates works.
In principle, there is no difference which method to use, but there is only one rule, a maximum of one password is entered, ideally, if no passwords at all.

In the rdweb settings, specify the certificate issued by your CA. Give clients a trusted root certificate of your RCA server. In theory, it will ask for a password only when logging in to rdweb. Only there you need to specify enable single sign on. Unfortunately, I forgot if this feature exists in 2008r2. In 2012r2 it works.