locked
ADFS authentication policy RRS feed

  • Question

  • I am configuring an ADFS authentication policy based on user’s location and if the traffic is NOT coming from inside corporate network, it will redirect user to MFA. According to Microsoft, when the value is false, it means the request came through a web application proxy. When true, it means the request came directly to the STS.

    Here is a portion of the claim rule:
    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
     => issue(Type = ..............

    My question is how ADFS determines insidecorporatenetwork = True or False? Does the WAP server insert something to the claim or to the request to let ADFS server know the request is coming from the WAP server? Is there a way to capture this traffic, I tried Fiddler but nothing show up.

    Thanks,
    Friday, October 7, 2016 12:10 AM

All replies

  • Hello , 

    how is the DNS configured for eg  if the user is internal the DNS will pass the url directly to the ADFS , WAP will be accepting the connection from external and  passing that to the  ADFS, Capture of traffiic , I am not sure if that is possible may be a wireshark trace can  tell you the  path and again WAP is only  doing a pass through authentication. 


    Linus || Please mark posts as answers/helpful if it answers your question.

    Friday, October 7, 2016 9:30 AM
  • The ADFS server adds this claim in the pipeline when the authentication request has been proxied by the WAP server. And as Akampa added, the client found the WAP because of its DNS resolution.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 7, 2016 12:39 PM
  • we uses split brain DNS, so external users will connect to the WAP. no issue here, everything is working. We're in the process to replace the WAP server with Netscaler. If the WAP server is inserting claim so the ADFS server knows the request is coming from outside of corporate network, how do we configure the Netscaler to do the same thing.

    Thanks,

    Friday, October 7, 2016 4:16 PM
  • Not sure why you would replace the WAP with a Netscaler? The two do not share the same function. Now, I'd put the WAP behind the Netscaler and you can reverse proxy it, then you'll get the best of both worlds :)


    http://blog.auth360.net

    Friday, October 7, 2016 5:42 PM
  • Hi Kram,

    Where I work, we like Netscaler a lot (here), so please don't misinterpret my sentiments :) If you want to try and mirror WAP functionality via Netscaler, then I'd suggest reading this document. Just bear in mind that there's a big difference between AD FS Proxy (2.0) and WAP (AD FS 2012 R2) and WAP (AD FS 2016).. as the platform progresses, it becomes more feature-rich and moves away from the rather simplistic reverse proxy roots it originally possessed and what you'll need to consider (SNI Client, Non-Claims Aware RPs, MSOFBA, Basic auth etc.), making it more difficult to mirror that functionality


    http://blog.auth360.net

    Friday, October 7, 2016 11:23 PM
  • Same here, I see this product quite often on site used as a load balancer in front of the WAP. This work just fine (with the exception of the health probing not supporting SNI... So using the alternate non-TLS probing URL).

    What's the status here?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 11, 2016 10:12 AM