locked
Intranet/Internet web application authentication via ADFS 2016 and WAP 2016 RRS feed

  • Question

  • I want to authenticate users internally and externally to web applications. The web applications are MVC using Identity 2. I will use claims for authorization.

    We setup the ADFS server and I am able to authenticate domain users on the intranet to a test web application using OpenID Connect.

    I recently setup WAP so my questions are:

    Should I route all domain users regardless of where they come from to the WAP?

    My application looks for the OpenID discovery doc on the adfs server. Do I need to change something here to point to the WAP? Right now my application ignores the WAP and connects to the ADFS server directly.

    Thursday, February 16, 2017 4:44 PM

Answers

  • Option two. The decision to go the WAP server instead of the ADFS server is done by the client through DNS resolution. So make sure that the external clients resolve the FQDN of your ADFS farm to the external IP address of your WAP (or VIP of the WAP farm if load balancers are used) and that internal clients resolve the FQDN of your ADFS farm to the internal IP address of your ADFS server (or VIP of the ADFS farm if load balancers are used).

    It is described in the Network requirement section here: https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx#BKMK_7


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by forwheeler Thursday, February 16, 2017 10:55 PM
    Thursday, February 16, 2017 9:20 PM
  • Nope.

    External users all point to the WAP, which will redirect to the application. - Split DNS is your answer :)

    • Marked as answer by forwheeler Thursday, February 16, 2017 10:46 PM
    Thursday, February 16, 2017 9:18 PM

All replies

  • Hiya,

    Usually I would setup external users to access through the WAP and internal users to resolve internally.(Application <-> ADFS)

    Ofcourse this requires your run split dns :)

    Thursday, February 16, 2017 6:49 PM
  • To force external users to access the applications through WAP, do I need to change the applications at all to point to the WAP or just publish the apps in WAP and setup split DNS?
    Thursday, February 16, 2017 8:53 PM
  • Nope.

    External users all point to the WAP, which will redirect to the application. - Split DNS is your answer :)

    • Marked as answer by forwheeler Thursday, February 16, 2017 10:46 PM
    Thursday, February 16, 2017 9:18 PM
  • Option two. The decision to go the WAP server instead of the ADFS server is done by the client through DNS resolution. So make sure that the external clients resolve the FQDN of your ADFS farm to the external IP address of your WAP (or VIP of the WAP farm if load balancers are used) and that internal clients resolve the FQDN of your ADFS farm to the internal IP address of your ADFS server (or VIP of the ADFS farm if load balancers are used).

    It is described in the Network requirement section here: https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx#BKMK_7


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by forwheeler Thursday, February 16, 2017 10:55 PM
    Thursday, February 16, 2017 9:20 PM
  • Thanks for your help
    Thursday, February 16, 2017 10:47 PM