Hi,
I am working on a Deployment and hence testings few options with ADFS 3.0 MFA.
My setup is below.
WAP(ADFS Proxy)-------ADFS 3.0-----Active Directory
WAP is in WorkGroup and no DNS Configuration. ADFS Service Name DNS Record points to WAP IP Address. ADFS 3.0 Configured with MFA to use Certificate based Authentication.
User hits the ADFS Login Page and hits the WAP. WAP Provides the ADFS Form Based Authentication page. User Authenticates with Active Directory Credentials. ADFS loads the RP selection page. Post this selection, ADFS challenges for MFA i:e Certificate Authentication which works fine too.
Over-all everything works as expected so far.
What I am trying to find out is an option where I can change the Authentication Order during the above process, where Certificate Authentication happens first and then should be the Active Directory via FBA.
Honestly, the design of the Product would not allow this, as MFA configuration is per Relaying Party and it will be invoked after a successful AD Authentication. Though, I am not 100% sure on this.
Any help will be greatly appreciated.