locked
ADFS 3.0 on Win Server 2012 R2 - Trusting service the ticket obtained from AD in ADFS RRS feed

  • Question

  • Hoping someone can help.

    My app server (not on the domain) is configured with SAML and points to my ADFS 3.0 server. 

    ADFS is configured with WIA for internal access only

    My app connects to the app server and is directed to ADFS 3.0 to authenticate.

    ADFS sends a 401 to the app to negotiate a kerberos  auth request. 

    I have a third party kerberos constrained delegation (KCD) service that impersonates the app domain user and obtains a service ticket from AD. 

    The KCD  service passes the service ticket to ADFS 3.0 in a SAML 2.0 message in response to the ADFS 401 originally received by the app. ADFS does not respond. It does not give an error, but I see the SAML request make it to AD looking at ADFS tracing logs. 

    Is there something I need to enable on ADFS 3.0 to trust a service ticket from AD?

    Other apps can use the KCD service with the same user if ADFS is not used.

    If I use a web browser to my app server, I can enter a password for my domain user and ADFS accepts the auth, and the app works. The problem only occurs when I get a ticket from AD to pass to ADFS. ADFS doesn't seem to trust the ticket from AD. 

    My SPNs for ADFS are: HTTP/adfs.domain.com  DOMAIN\ad1, HTTP/ADFS DOMAIN\ad1  (my ad server is ad1.)
    I also tried with HOST/adfs.domain.com  ...
    and my KCD service user account has set these SPNs in its delegation. 

    Any suggestions on where to look are greatly appreciated.

    Thanks Kindly!

    Paul




    • Edited by PLMSUser Thursday, February 22, 2018 8:48 PM
    Friday, February 16, 2018 11:19 PM

All replies

  • The problem is that ADFS is a federation provider and will only accept requests that are in a SAML 2.0, WS-Fed or OpenID Connect format.

    Have you tried pass-through with ADFS WAP?

    Sunday, February 18, 2018 7:29 PM
  • I have not, I will look into this. Note, I adjusted my original note, the response from AD is being sent in SAML 2.0 in response to the original 401.  If that makes sense.  Thanks


    • Edited by PLMSUser Friday, February 23, 2018 6:48 PM
    Thursday, February 22, 2018 8:26 PM