Thank Stephen, your solution really helped. Anyway I have one more question. I would like to use Basic Authentication and also Client-certificate. So firstly I would like to check if credentials in basic authentication are OK and then if client certificate matches the one in internal identity provider. When I tried it, it seems that once basic authentication credentials are valid, client-certificate is not verified ( also for opposite order ). I swapped certificate for other certificate for my client account and it showed no error.
I assume that after basic authentication credentials are verified, request should be somehow "unauthorize" - probably by setting some context variable to NULL or similar way. Then I would use your solution to verify, if for user in CN also certificate matches with one on identity store. It may seem a bit like doubled check ( credentials + client certificate), but our requirement was exactly like that. Thank you.