locked
ADFS Proxy server on Windows 2016 - Windows Integrated Authentication RRS feed

  • Question

  • I've read in other posts that the proxy role cannot pass WIA (continue to provide a SSO experience to travelling laptop users who are not using a vpn or similar) since it is not a domain joined machine but I saw this and wanted to enquire whether it is actually possible?

    ‘If the proxy is used to proxy AD FS requests that use Windows Integrated Authentication, the proxy SSL certificate must be the same (use the same key) as the federation server SSL certificate’

    From <https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/ad-fs-faq>

    Our current internal adfs server shows via a Fiddler trace the WIA authentication request encapsulated in the encrypted ssl payload - so I've never understood why the proxy can't forward the WIA request on after presumably decrypting the external request and repackaging it for the internal adfs server

    Thanks

    David

    Friday, December 2, 2016 5:03 PM

Answers

  • I don't quite follow.

    • Non domain joined machines do not have Windows SSO.
    • Users coming through the WAP will apply the Extranet authentication policy (which is Form Based auth).

    What would you expect?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Sunday, December 11, 2016 11:10 PM

All replies

  • When you authenticate through the WAP it flags the inside corporate network claim as false, and prompts the user with FBA to provide authentication.

    “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"

    I don't see how you will be able to do this without a VPN or DirectAccess.

     


    Sunday, December 4, 2016 12:54 AM
  • I don't quite follow.

    • Non domain joined machines do not have Windows SSO.
    • Users coming through the WAP will apply the Extranet authentication policy (which is Form Based auth).

    What would you expect?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Sunday, December 11, 2016 11:10 PM
  • Update here?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, December 29, 2016 12:40 PM