locked
ADFS 3.0 - setting client certificate authentication as first authentication provider ? RRS feed

  • Question

  • Does setting client certificate authentication as the first authentication provided work or have any drawbacks? Does, for example,e fallback to forms authentication work for users that cannot authenticate via a certificate? As an alternative, can the ADFS web form javascript be modified to select certificate authentication if a certain condition is recognized and eventually fallback to FBA if this condition is not satisfied?
    Monday, December 19, 2016 5:02 PM

Answers

  • In Windows Server 2012 R2 ADFS, the client certificate authentication is using a separate TLS tunnel for the authentication. This tunnel is using the port 49443 (that you will need to open between the clients and the ADFS farm and between the external clients and the WAP farm -if used). This might be an issues for two reasons:

    1. Certain user agents (browsers) do not support TLS authentication.
    2. The alternate port might not be open in public network (WiFi hotspot or guest WiFi).

    Windows Server 2016 ADFS solve this by using an alternate protocol and port for the certificate authentication.

    You could have both FBA and certificate authentication, and the user could chose for one. There is no fallback like there is for WIA to FBA if the browser doesn't supports it. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 26, 2016 10:21 PM