ADFS 3.0 Windows Integrated Authentication only work on Intranet, not through proxies

Hi!

It might be that this is a newbie-question, but I'm running out of ideas-

We have ADFS running on MS suggested configuration, with 2 servers running as ADFS farm and 2 ADFS proxies with hardware LB's feeding the incoming traffic to them.

Computers are domain-joined Win7/8/8.1, using IE10&11. GPO sets the DNS name fo the service URL as "intranet site".

Configuration uses "split-brain" DNS (like MS suggests) meaning internal DNS points directly to ADFS Farm servers, external DNS to the Proxy servers, both with same URL.

All servers are 2012 R2, with all the latest patches.

I've ran security configuration wizard on Proxy servers, which is one item that I fear could be causing the issue...

Symptoms are that when clients go to https://ADFSservername.domain.com/adfs/ls/idpinitiatedsignon, in the LAN connection they are connected automatically when they press "sign in to this site". From the internet (through proxies), they are prompted for credentials. If they do give the credentials, authentication works.

I've search all the logs and captured traffic etc but I cannot pinpoint the problem. It SHOULD work. :)

Any ideas, anyone? All help is greatly appreciated.

April 21st, 2015 8:52am

Hi,

For ADFS questions, in order to get better and more help, it's recommended that we ask for suggestions in the following forum.

Claims based access platform (CBA), code-named Geneva

https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

Best regards,
Frank Shen

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 2:39am

Hi Frank,

Thanks, I did, and in case some other admin is lookng for the same topic I got a responce:

This is per design. When on the Intranet your clients/users are logged on to your domaim which makes it possible for Integrated Windows Authentication to provide SSO. As this is not possible from the Internet as there is no way to get SSO when authenticating using the Proxy/WAP so instead users must enter their credentials.

So it was a newbie question. :)

April 23rd, 2015 12:33am

ADFSservername.domain.com should be added to trusted site in IE.  remove both form-base and Certificate authentications for extranet from global authentication settings (ADFS)

Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2015 2:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics