IIS Claims Authentication RRS feed

  • Question

  • Hi All,

    We have AD FS working well, supporting Office 365 authentication, and others.  AD FS proxy for off premises access.

    We also have a variety of internally-developed sites hosted on IIS.

    Internally, they use integrated Windows authentication, so the process is transparent.  Off premises, users are prompted to authenticate (basic over HTTPS).

    These sites are generally "dumb"; they just need to know you are in AD; generally don't care beyond that (hence no complex claims).

    It would be better if sites used AD FS when off premises;

    • "prettier" authentication
    • if the user tick the box, reduced/eliminated authentication prompts
    • if the user's password is expired, AD FS handles this gracefully (other authentication methods typically fail, even with the right password)

    Is it possible to "claims-enable" IIS, as-is, without rewriting the apps to become claims-aware (never gonna happen)?

    As I write this, I realise that Microsoft probably expect you to...

    • use integrated Windows Authentication in IIS
    • publish using Web Application Proxy to the Internet, which makes integrates it with AD FS

    [would *really* welcome confirmation of my hypothesis!]

    This will probably work fine.  However, if possible, I'd like to avoid this;

    • adds another layer of complexity at the HTTP layer
    • now, all these IIS sites depend on WAP "directly", not just indirectly
    • we're using a very simple TLS certificate on the AD FS servers, not a wildcard (didn't anticipate adding other FQDNs,  or using WAP for anything more than AD FS)

    Conceptually, in IIS role services, we would tick a "claims authentication" tick box as well as/instead of the Integrated Windows authentication box.

    The "architecture" (load balancers, vLANs, networks, DNS entries, certificates, etc, etc, etc) would then be completely untouched; it's just that browsers would make a round trip to AD FS.

    There is an AD FS Web Agent described at...


    ...but this was withdrawn since Windows Server 2012 R2, so not an option for modern sites.

    Am I resigned to...

    1. Asking for £££$$$€€€ for a wildcard certificate
    2. publishing them via Web Application Proxy off premises

    Would really welcome some advice.  All the AD FS content centres around the AD FS role service.  The AD FS Web Agent exists, but I can find no further information in blogs, forums, etc.

    Friday, May 5, 2017 2:41 PM