locked
SharePoint & ADFS and shared Active Directory RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We're adding ADFS 3.0 to an existing SharePoint 2016 deployment.  Both are connected to the same Active Directory.  Is there a way for SharePoint to link the WS-Federation assertion to the same account in AD (as opposed to an account linked directly to ADFS)?

    Thanks

    Friday, October 27, 2017 7:14 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    Thanks but neither of these answer my question of "Can I authenticate via ADFS and have sharepoint link the authentication to an existing AD account?"

    If you use a non-claims aware relying party for SharePoint instead of SAML, yes you can. This requires WAP be joined to the domain, SharePoint Web Apps using Kerberos, and Constrainted Kerberos Delegation between the WAP machine accounts and the user running the SharePoint Web Apps.

    If you want to continue to use SAML, then no, the user is either SAML or Windows Claims in SharePoint. SharePoint will not recognize them as the same user if they authenticate using two separate methods.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, October 27, 2017 10:15 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Here you go

    https://technet.microsoft.com/en-us/library/dd996647%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://social.technet.microsoft.com/Forums/en-US/57a045cb-c691-42c3-b2b8-80e77f0fc8c0/adfs-30-on-sharepoint-2016-server?forum=ADFS

    Please remember to click Mark as Answer on the answer if it helps you

    Friday, October 27, 2017 7:17 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks but neither of these answer my question of "Can I authenticate via ADFS and have sharepoint link the authentication to an existing AD account?"
    Friday, October 27, 2017 8:47 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks but neither of these answer my question of "Can I authenticate via ADFS and have sharepoint link the authentication to an existing AD account?"

    Not sure what you mean by "existing AD account", but you can certainly use SAML/Claims based auth and ADFS with SharePoint.

    Friday, October 27, 2017 8:59 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    Thanks but neither of these answer my question of "Can I authenticate via ADFS and have sharepoint link the authentication to an existing AD account?"

    If you use a non-claims aware relying party for SharePoint instead of SAML, yes you can. This requires WAP be joined to the domain, SharePoint Web Apps using Kerberos, and Constrainted Kerberos Delegation between the WAP machine accounts and the user running the SharePoint Web Apps.

    If you want to continue to use SAML, then no, the user is either SAML or Windows Claims in SharePoint. SharePoint will not recognize them as the same user if they authenticate using two separate methods.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, October 27, 2017 10:15 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks, that confirms what I was seeing.
    Monday, October 30, 2017 5:41 PM