none
ADFS - Consequenes of enabling Forms Authentication

    Question

  • Hi,

    We have been told by MS support that we need to enable Forms Authentication on our ADFS server in order to avoid errors when using Powershell to logon to Azure. What are the consequences of doing that? Are there any chance that users of other services utilizing ADFS will notice this change?

    Any insight to will be greatly appreciated.

    Thanks,

    GB

    Tuesday, March 14, 2017 7:52 AM

Answers

  • Based on 1st question, it depends on the app request. If app not able to use WIA (Windows Integrated Auth) it will need to send username/password (Forms). If request comes from Internet eventually it will hit an ADFS Proxy and by default all requests will have Forms or Certificates (ADFS 2012R2) and this Powershell orgabeke refers to should be able to authenticate.

    Eventually what happens to apps that can't use WIA is that they will work from internet and not from intranet, because and by default, Forms is disabled on Intranet. Action plan will be to enable Forms from Intranet and if you have an app that is forcing username/password from Intranet you should be good. There's no impact expected on doing.


    Luís Carmo

    • Marked as answer by orgabeke Friday, April 7, 2017 6:49 AM
    Wednesday, March 15, 2017 10:35 AM

All replies

  • It may be best to post here:  https://social.technet.microsoft.com/Forums/en-US/home?forum=ADFS

    But, enabling forms based authentication will make all users require entry of username and password.  Essentially, you are turning off 'Windows Integrated Authentication'.  

    • Marked as answer by orgabeke Wednesday, March 15, 2017 7:41 AM
    • Unmarked as answer by orgabeke Friday, April 7, 2017 6:49 AM
    Tuesday, March 14, 2017 1:17 PM
  • Thanks!
    Wednesday, March 15, 2017 7:41 AM
  • Based on 1st question, it depends on the app request. If app not able to use WIA (Windows Integrated Auth) it will need to send username/password (Forms). If request comes from Internet eventually it will hit an ADFS Proxy and by default all requests will have Forms or Certificates (ADFS 2012R2) and this Powershell orgabeke refers to should be able to authenticate.

    Eventually what happens to apps that can't use WIA is that they will work from internet and not from intranet, because and by default, Forms is disabled on Intranet. Action plan will be to enable Forms from Intranet and if you have an app that is forcing username/password from Intranet you should be good. There's no impact expected on doing.


    Luís Carmo

    • Marked as answer by orgabeke Friday, April 7, 2017 6:49 AM
    Wednesday, March 15, 2017 10:35 AM
  • Luis,

    Thanks for replying to my question. I must admit that I do not fully understand what you are saying.

    There are basically two scenarios in which our users access applications that are ADFS integrated. #1 Using the computer connected to the corporate network. #2 Using the computer connected to the corporate network via Direct Access.

    Are you saying that under no circumstances will enabling Forms Authentication change how the user access these applications? Under no circumstance will they be prompted for username and password like vaadadmin2010 suggests? SSO will work the same as before?

    Wednesday, March 15, 2017 12:33 PM
  • I was not saying to remove WIA from Intranet (ADFS Management Console) but select it also, since it's not enabled by default. So you need a "check" on WIA and FBA on Intranet.

    Powershell will not do SSO like other apps you might have, so what happens is:

    App location Auth method Will work? Reason
    Poweshell Extranet FBA Yes ---
    Powershell Intranet FBA No FBA disabled on Intranet by default
    SSO able App Extranet FBA Yes ---
    SSO able App Intranet WIA Yes ---


    cheers.

    Luís Carmo

    Wednesday, March 15, 2017 3:37 PM
  • Thanks Luis,

    WIA is already enabled in our setup so that is OK. I'll do some testing outside normal working hours to make sure that the users do not notice this change.

    Friday, March 17, 2017 6:38 AM