ADFS 3.0 SAML Integration Authentication issues RRS feed

  • Question

  • Hi,

    I am currently engaged with a deployment which consists of the following, get stuck in between need experts advise on that.

    Current environment:

    • Single forest
    • Multiple domains
    • Root domain is just for admin's UID (example.com)
    • 2 Multi domains (domain1.example.com, domain2.exmaple.com)
    • User's exists in the multi domains (domain1.example.com, domain2.exmaple.com)


    • Integrate SAS based 3rd party app hosted extra net some where in the clod
    • Internal user's would be using this 3rd party app using their domain (AD) credentials from both the domains (e-mail address)
    • 3rd party apps supports SAML to connect with ADFS

    Installed / Configured so far:

    • 2 ADFS proxy WAP servers in DMZ
    • ADFS proxy servers are load balanced via hardware based NLB
    • 2 ADFS servers inside the server VLAN
    • ADFS server are load balanced via hardware based NLB
    • From outside ADFS traffic flow is as follows- public host (A) record for adfs.exmaple.com is pointing to public IP- natted to VIP of DMZ LB- fowards the request to the internal VIP LB using the local hosts file editing on proxy servers
    • From inside ADFS flow is as follows- client goes to https://adfs.example.com/adfs/ls/idpinitiatedsignon.aspx select one relaying party trusts from available 2 options
    • Alternate login id (mail) attribute is enabled- search criteria is root domain (example.com)
    • Single ADFS farm used as adfs.example.com
    • SSL cert used for ADFS deployment issued to the CN- adfs.example.com

    Now if I am sitting outside the corporate network from internet, if try to access the same URL as mentioned above, my landing page is ADFS proxy servers using FBA. I can login using my e-mail address as username and domain password happy there!

    As per the MS best practices inside traffic for ADFS from end user's should route to ADFS back end not to proxy servers as they are in DMZ and the end users are from trusted on inside network doesn't make any sense to route them to proxy severs ?

    My problem statement- When I am inside the corporate network and try to access the same URL my landing page is ADFS back end servers using the FBA if I try to log in using my e-mail address as username it just doesn't accepts that and keep on asking for password, however if I use my UPN domain1.example.com\UID or just domain1\UID and same password it works. So looks like some how ADFS back end servers are just not accepting e-mail address as alternate login id however proxy server does, no matter what if I am inside or outside the network.

    Is this behavior by default or I am doing something wrong here ? if this is a by default behavior is there any MS document or technet article you would refer me to ?

    Thank you!


    Thursday, February 11, 2016 3:26 PM

All replies

  • Please make sure you have the Audit enabled (the first part of the following article explains how to enable it: http://blogs.technet.com/b/pie/archive/2016/02/02/track-down-the-source-of-adfs-lockouts.aspx ) and look for event 364. If ou can repro, you can also enable the debug trace, repro and stop the debug trace from the event viewer and share here your findings.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 12, 2016 12:15 AM