I have deployed a simple AD FS infrastructure on Windows Server 2012 R2: 1x AD FS server on the corporate network + 1x WAP server in the DMZ.
IWA works fine for users on the internal network: when navigating to the IdpInitiatedSignon.aspx page and authenticating, the browser responds with a 'You have signed in' message.
However, if I try to authenticate from an internet-facing computer using FBA, the credentials appear to be accepted OK, but it just returns to an empty log on screen again. Oddly, if the credentials entered are invalid, a message is displayed to that effect.
I've enabled verbose logging and can see that a user appears to be authenticated correctly (event ID 4624 in the Security log) and that a token is issued to the user (event ID 299 in the Security log).
If I change the authentication settings in AD FS for the intranet, replacing Windows Authentication for Forms Authentication in the Global Authentication Policy, I get the same experience.
The servers are patched with all the latest hotfixes.
Can anyone advise as to why, when using FBA, I don't get the 'You have signed in' message?
I have a lab environment and don't have this issue - the only difference between the two is that the lab environment isn't patched, it is 2012 R2 as it rolled out of the factory!