locked
Global Authentication methods confusion in ADFS 4.0 RRS feed

  • Question

  • I have a setup of ADFS 2016 (4.0) and have configured certificate authentication as an additional auth provider under the "Multi-Factor" tab, the global auth settings look like this in powershell:

    AdditionalAuthenticationProvider : {CertificateAuthentication}

    DeviceAuthenticationEnabled : False

    DeviceAuthenticationMethod : All

    TreatDomainJoinedDevicesAsCompliant : False

    PrimaryIntranetAuthenticationProvider : {WindowsAuthentication, FormsAuthentication, MicrosoftPassportAuthentication}

    PrimaryExtranetAuthenticationProvider : {FormsAuthentication, MicrosoftPassportAuthentication}

    WindowsIntegratedFallbackEnabled : True

    ClientAuthenticationMethods : ClientSecretPostAuthentication, ClientSecretBasicAuthentication,PrivateKeyJWTBearerAuthentication, WindowsIntegratedAuthentication

    From what I understand these settings are applied globally to all relying party trusts, however tests seem to show that this additional auth method is not enforced but gets ignored as users can logon fine using the primary auth methods only without having to have a certificate.

    This also seems to defer from adfs 3.0 where you could have per relaying trusts auth settings besides the global one. I know I can perhaps use the new access control policies to define per relaying trust MFA settings but what do these global auth policies do then if not set this additional auth policy globally? There seems to be no documentation on this change as the documentation only refers to ADFS 3.0:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies

    Friday, February 2, 2018 7:57 AM

Answers

  • It defines what is the first method the user can use to prove its identity.

    Certificate Based can be used as a primary authentication method (in that case no password prompt for the user) or as a MFA method (in that case the user is asked a certificate after entering the right username and password).

    It does work as excepted. Maybe the confusion is that some MFA provider (CBA and Azure MFA) can also be used as a primary method instead of as an MFA triggered after a successful authentication.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 9, 2018 7:33 PM

All replies

  • Hello - Can you describe what you trying to achieve? Set up MFA? For everyone? Thanks

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 5, 2018 1:49 PM
  • Well I would like to understand the function of the global authentication settings. Unlike what they are named they do not seem to be applied globally. I understand that MFA (cert based auth) in ADFS 4.0 will probably work if it is defined on a relying party basis as an access control policy. But the question remains, what does the global authentication setting do then.
    Tuesday, February 6, 2018 8:13 AM
  • It defines what is the first method the user can use to prove its identity.

    Certificate Based can be used as a primary authentication method (in that case no password prompt for the user) or as a MFA method (in that case the user is asked a certificate after entering the right username and password).

    It does work as excepted. Maybe the confusion is that some MFA provider (CBA and Azure MFA) can also be used as a primary method instead of as an MFA triggered after a successful authentication.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 9, 2018 7:33 PM