locked
SSO through the Web Application Proxy fails RRS feed

  • Question

  • I have built a Windows 201 R2 ADFS farm with 2 web application proxy servers.  Internally have directed my split brain DNS to point to the ADFS NLB IP.  Externally DNS is set to the NLB of the Proxy servers. I am testing SSO by using the following URL https://sts.domainname.com/adfs/ls/idpinitiatedsignon.  Internally it works as expected.  I click on the sign on button and it signs in.  However when I run it externally it prompts for credentials Upon entering my credentials it logs in as expected.  Why is my web application proxy not forwarding on the logged in credentials?
    Friday, September 23, 2016 4:58 PM

Answers

  • You could deploy user certificates on domain joined laptop yes.

    If you have Windows 10 machines, you could also have a look here: Windows 10 Sign on – enabling device authentication with AD FS https://technet.microsoft.com/en-us/library/mt593303(v=ws.11).aspx (not covering all scenarios but if you are looking at SSO for Office 365 workload, it might do the trick).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by dabriggs Monday, September 26, 2016 1:34 PM
    Friday, September 23, 2016 8:40 PM

All replies

  • This looks rather normal to me. You are doing Windows Integrated Authentication when connected internally, and you are doing Form Based Authentication when you are connected externally. Expected behavior.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, September 23, 2016 6:58 PM
  • Is there a way to set it so that our domain laptops will authenticate without the users needing to put in their credentials on domain and off?  Certificate authentication perhaps? 
    Friday, September 23, 2016 7:22 PM
  • You could deploy user certificates on domain joined laptop yes.

    If you have Windows 10 machines, you could also have a look here: Windows 10 Sign on – enabling device authentication with AD FS https://technet.microsoft.com/en-us/library/mt593303(v=ws.11).aspx (not covering all scenarios but if you are looking at SSO for Office 365 workload, it might do the trick).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by dabriggs Monday, September 26, 2016 1:34 PM
    Friday, September 23, 2016 8:40 PM