Hello everyone,

i hope i choose the right Forum.

I have a Windows Server 2012 R2 with an ADFS and DIRSync.

The test ADFS Server (without WAP) has activated the FBA and WIA.

Every time I connect from the Internet or intranet the adfs choose the WIA and not the FBA.

I test it with a non-domain-joined Server.

How does the ADFS decide which autentification is to use?

Thanks

• Moved by Kamalakar KMicrosoft contingent staff Monday, August 31, 2015 4:54 PM On Premise ADFS Server related query

The default authentication configuration for the ADFS service (in C:\inetpub\adfs\ls\web.config) is Integrated Windows Authentication.

http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx

From the blog:

By default AD FS 2.0 Federation Servers use IWA and AD FS 2.0 Federation Server Proxy servers use FBA. The reason for this is because we assume that you would prefer no credential prompt for your internal users who can directly contact your internal Federation Servers, and we also assume that users who are coming from the internet via the Federation Server Proxy servers would not be able to experience integrated Windows authentication, thus a customizable forms-based page is the best fit.

If you prefer to select a non-default local authentication type, perform the following steps:

1. In Windows Explorer, browse to C:\inetpub\adfs\ls (assuming that inetpub lives in C:\)
2. Select web.config and Edit in Notepad
3. Find (Ctrl+F) <localAuthenticationTypes>
4. There are four lines below <localAuthenticationTypes>. Each line represents one of the local authentication types listed above.
5. Cut your preferred local authentication type (the entire line), and Paste it to the top of the list (under <localAuthenticationTypes>)
6. Save and Close the web.config file

Note: There is no need to restart IIS or make any further changes. Your change will be immediately picked up by IIS since you edited the web.config.

Example:

If I want to change the local authentication type for my internal Federation Servers from IWA to FBA, the resultant web.config section would look like this:

<microsoft.identityServer.web>
    <localAuthenticationTypes>
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="Integrated" page="auth/integrated/" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    </localAuthenticationTypes>

Thank you for your replay.

I have one note. On ADFS 3.0 you have not installed an IIS, so you cant customize the webconfig.

But the general information about the decision of the authentication from ADFS is great.

I will extend my test environment with a WAP Server.

Thank you!

Steve-

You'll want to have a look at the user agent detection feature in AD FS. This will let you tell AD FS which AuthN method to pick on a dynamic basis. Here's a good link on the topic - http://blog.kloud.com.au/2014/11/06/implementing-adfs-v3-0-forms-authentication-in-mixed-environments/

Hi,

Here is a related blog below for you:

ADFS Deep-Dive: Primer

http://blogs.technet.com/b/askpfeplat/archive/2014/08/25/adfs-deep-dive.aspx

In addition, here is a dedicated ADFS forum below for you:

Claims based access platform (CBA), code-named Geneva Forum

http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

Best Regards,

Amy