locked
I am seeking for a way to integrate ADFS with Kerberos aware applications (not claim aware) to achieve SSO (Single Sign On) ? RRS feed

  • Question

  • I am seeking a way to integrate ADFS with Kerberos aware applications (not claim aware) to achieve SSO (Single Sign On)? Is it possible to have application who support Kerberos but non claim aware? If yes then how we do it and prerequisites? Pleas
    Sunday, December 2, 2018 4:33 PM

All replies

  • You can do this with the WAP:

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication

    • Proposed as answer by Jesper Arnecke Monday, December 3, 2018 6:57 AM
    Sunday, December 2, 2018 5:52 PM
  • Basically you configure it as you would configure any Kerberos implementation. You use the WAP as an authentication gateway, which can then delegate tokens to the applications which are part of the SSO portfolio.
    Monday, December 3, 2018 6:59 AM
  • you mean "Publish an Application that uses HTTP Basic"
    • Edited by aka_Sunny Monday, December 3, 2018 2:35 PM correction
    Monday, December 3, 2018 2:34 PM
  • I was asked by a customer whether there is an application which only supports protocol Kerberos. Kerberos is only an authentication protocol which uses Kerberos SSP (kerberos.dll) that I know of and not sure If there is an application specifically for Kerberos such as SAML or WS-fed.

    Moreover, Kerberos only works in internal authentication, for external authentication NTLM would be using regardless application. Please correct me If I am wrong 

    Wednesday, December 5, 2018 4:20 PM
  • Kerberos is Kerberos. It's part of the Windows Authentication area, so no its not WS-Federation nor SAML, it's Kerberos.
    Kerberos only works within a forest and not cross organizational boundaries.
    NTLM is equivalent of Kerberos in definition - its Windows Authentication. NTLM is a less secure Windows Authentication protocol and should by default not be used if Kerberos is possible. You can use NTLM and Kerberos the same places, within a domain.

    That is why you would implement a Authentication Gateway to external. An example flow using SharePoint would be:

    User request Authentication at WAP. -> WAP authenticates at ADFS non-claims aware application(Active Directory integrated authentication) -> WAP directs user to SP site with delegated Kerberos ticket -> SP is configured for Kerberos authentication -> User is logged on with Kerberos Ticket.

    Did a write up on exactly that flow previously:
    https://jesperarnecke.wordpress.com/2014/03/26/installation-sharepoint-2013-with-web-application-proxy-and-adfs-kerberos
    Saturday, December 8, 2018 9:36 AM