locked
Web Application Proxy DMZ - Publishing Apps RRS feed

  • Question

  • I am in the process of trying to set up external access to our on premise SharePoint 2013 site using the web application proxy role. Our SharePoint server is using Kerberos Authentication.

    I have set up ADFS on a 2012 R2 Box that sits inside our domain and the web application proxy on another2012 r2 Box that is sitting in our DMZ not joined to the domain.

    I am able to authenticate my AD credentials externally using the default sign in page ie

    https://sts.yourdomain.com/adfs/ls/idpinitiatedsignon.htm

    I have then attempted to publish my SharePoint site setting up a non-claims-aware rely trust

    I get the sign in page for my published app but I am unable to login

    So here is my question

    Can you publish applications using ADFS Preauthentication if your web application proxy is sitting in your DMZ not joined to the domain?

    Wednesday, January 21, 2015 12:07 PM

Answers

  • Hi Matt,

    If we were to add a trusted identity provider (ADFS) to the authenticate methods on our sharepoint as per this example (I cant post a link yet sorry)

    http://blogit.create.pt/miguelmoreno/2014/11/14/configure-adfs-3-0-with-sharepoint-2013/

    Would that allow us not join the web application proxy to the domain ?

    Yes, in this case, the ADFS proxy server doesn’t have to be domain-joined, since SAML-based claims authentication method is being used instead of Integrated Windows authentication.

    More information for you:

    Configure SAML-based claims authentication with AD FS in SharePoint 2013
    https://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

    In addition, if there are specific query regarding claims based access of ADFS, here is a dedicated forum below:

    Claims based access platform (CBA), code-named Geneva Forum

    http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Monday, January 26, 2015 6:09 AM
    • Proposed as answer by Amy Wang_ Tuesday, February 3, 2015 12:14 PM
    • Marked as answer by Matt-Bhoy Tuesday, February 3, 2015 2:49 PM
    Monday, January 26, 2015 6:09 AM

All replies

  • Hi Matt,

    Based on my research, to allow users to authenticate via Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain.

    More information for you:

    Publishing Applications with SharePoint, Exchange and RDG

    https://technet.microsoft.com/en-us/library/dn765486.aspx

    Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain

    https://technet.microsoft.com/en-us/library/dn464299.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Tuesday, February 3, 2015 12:14 PM
    Thursday, January 22, 2015 8:21 AM
  • Hi Amy,

    Thanks for the reply I ran the Best Practices Analyzer and did get that message.

    We currently have ADFS2 set up with a proxy that is in the DMZ not on the domain that is used to authenticate users with office365 this was the sort of set up that we were hoping to implement for SharePoint but using the web application proxy.

    If we were to add a trusted identity provider (ADFS) to the authenticate methods on our sharepoint as per this example (I cant post a link yet sorry)

    http://blogit.create.pt/miguelmoreno/2014/11/14/configure-adfs-3-0-with-sharepoint-2013/

    Would that allow us not join the web application proxy to the domain ?

    Thanks Again

    Matt


    • Edited by Matt-Bhoy Thursday, January 22, 2015 9:48 AM
    Thursday, January 22, 2015 9:37 AM
  • Hi Matt,

    If we were to add a trusted identity provider (ADFS) to the authenticate methods on our sharepoint as per this example (I cant post a link yet sorry)

    http://blogit.create.pt/miguelmoreno/2014/11/14/configure-adfs-3-0-with-sharepoint-2013/

    Would that allow us not join the web application proxy to the domain ?

    Yes, in this case, the ADFS proxy server doesn’t have to be domain-joined, since SAML-based claims authentication method is being used instead of Integrated Windows authentication.

    More information for you:

    Configure SAML-based claims authentication with AD FS in SharePoint 2013
    https://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

    In addition, if there are specific query regarding claims based access of ADFS, here is a dedicated forum below:

    Claims based access platform (CBA), code-named Geneva Forum

    http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Monday, January 26, 2015 6:09 AM
    • Proposed as answer by Amy Wang_ Tuesday, February 3, 2015 12:14 PM
    • Marked as answer by Matt-Bhoy Tuesday, February 3, 2015 2:49 PM
    Monday, January 26, 2015 6:09 AM
  • Thanks Amy,

    In the end we have joined our wap to our domian and are able to access sharepoint externaly now

    Thanks again

    Matt

    Tuesday, February 3, 2015 2:51 PM
  • Hi Matt,

    You are welcome!

    Please feel free to let us know if there are any further requirements in the future.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 4, 2015 2:13 AM