Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all articles
Browse latest Browse all 2535

How do I selectively offer WIA and FBA across browsers with ADFS 2012r2/ADFS 3.0 with claims aware end-points?

November 18, 2014, 7:32 am
$
0
0

So we're on ADFS 2.0 at the moment, and we are able to offer WIA or FBA by using split-brain DNS/hosts files and the ADFS Proxy servers. I can't seem to figure out how to duplicate this functionality with ADFS 3.0. The documentation seems to point to doing this, but it looks like publishing an application/RP trust with pass-through authentication breaks this ability unless you can create a custom user agent string on the browsers. This can be done on IE through group policy, but not on Chrome or Firefox at all it seems.

http://blog.kloud.com.au/2014/11/06/implementing-adfs-v3-0-forms-authentication-in-mixed-environments/

The example is Sharepoint 2010. We converted to SAML style claims a year and a half ago so that we could leverage SSO through WIA on-site and forms for some workstations and external users. I was able to get all 3 browsers on GP controlled machines to pass current session credentials through WIA for seamless sign-on to certain web resources. The only way I can publish the application as-is (without switching to Kerberos auth) is to use pass-through authentication, not ADFS pre-authentication.

I found this on the forums so far:

Internal network:

IE: Intergrated Auth is enforced when talking directly to the ADFS servers.[good so far]

Firefox/Chrome: Form based is enforced when talking directly to the ADFS servers.[ it looks like I can control this]

External network when ADFS is published with WAP:

Firefox/Chrome/IE: Form based is enforced when talking directly to the ADFS servers.[not true?]

https://social.msdn.microsoft.com/Forums/windowsapps/en-US/9ad5d062-2154-4915-94c7-1abfc3da7f23/adfs-30-form-based-authentication-is-not-working-properly-from-internet?forum=Geneva

To clarify how i have it setup in my test environment...

DC4 [10.10.10.4] - Domain controller, single ADFS server; set PublishAddress registry attribute to the IP of the DC, in a single host NLB at 10.10.10.5. An A record pointing to adfs.domain.net - 10.10.10.5 so that all internal clients go to DC4. Enabled FBA.

WebAppProxy [10.10.10.11] - imported certificate for sharepoint url and published using pass-through auth (publishing with ADFS pre-auth would give an errors in the ADFS logs saying it was misconfigured). Created host file entry for adfs.domain.net pointing to the back end server.

Client machine - created host file entry pointing to the WebAppProxy IP for adfs.domain.net.

Result: client gets prompted with WIA instead of FBA when trying to access SharePoint.

Halp?

-NOC





Search
Viewing all articles
Browse latest Browse all 2535
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>