Claims based authentication on single site RRS feed

  • Question

  • We have a SharePoint 2013 web application called https://intranet.internaldomainname.com and have configured an Internet URL called https://sharepoint.externaldomainname.com for external access. This web application has not been extended.  ADFS 3.0 is also configured and all ports are open. Note the internal and external domain names are not the same.

    Basically we want claims based authentication to be used both internally and externally. Does this require two separate relying trusts configured in ADFS and SPTrusted identities setup on SharePoint to work?

    Tuesday, May 24, 2016 10:55 PM


  • Adding to the current Identity Provider worked as above.
    Thursday, May 26, 2016 2:18 PM

All replies

  • Hi AllyRussell,

    What did you mean that this web application has not been extended? Did you configure AAM(Alternate Access Mapping) for the web application?

    In SharePoint 2013, Claims Authentication Types is set for each web application zone. From your description, it seems that you have configured AAM for the web application, you need to set Claims Authentication Types for the two zones individually (internal and external).

    Best Regards,


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 25, 2016 6:19 AM
  • Hi Wendy,

    Apologies for the terminology, knowledge is not great with SharePoint. The public URL for the Default zone is https://intranet.internaldomainname.com and I added an AAM URL of https://sharepoint.externaldomainname.com in the Internet zone. Not sure if this is correct, when I go to the authentication provider options of the web application to set the claims authentication I only get the option for the default zone so this may be incorrectly configured.

    This is a single web application called https://intranet.internaldomainname.com with host headers set in IIS for this to include https://sharepoint.externaldomainname.com. I have a relying trust and SharePoint configured for claims to work internally, my thinking was to add an additional relying trust for the external URL, it may be that this is not possible or the wrong way to do it?

    Wednesday, May 25, 2016 11:54 AM
  • When you say 'Claims' do you mean you want to use some sort of forms based authentication or are you going to be using windows identities for access (no matter where the users are coming from?).

    People tend to misunderstand classic mode vs claims mode so the more you describe about what you mean the easier it is to understand what you're trying to achieve and what isn't working.

    Wednesday, May 25, 2016 12:44 PM
  • Then only method we wish to use is SAML token-based authentication. Basically I need to know how to best set this up externally as well going by the current setup detailed above.

    Wednesday, May 25, 2016 1:09 PM
  • Then you want a single identity provider to handle both internal and external authentication.
    Wednesday, May 25, 2016 1:13 PM
  • Ok, this was my initial thought but was unable to get this working properly. In ADFS the following was setup for the Relying Party Trust:

    WS-Federation Passive Endpoint - https://intranet.internaldomainname.com

    Relying Party Identifier - urn:internal:sp2013 and https://intranet.internaldomainname.com

    On SharePoint we had configured an identity provider with the realm matching urn:internal:sp2013 and the uri matching https://intranet.internaldomainname.com.

    This works fine but obviously when you access the URL https://sharepoint.externaldomainname.com externally it obviously redirects to https://intranet.internaldomainname.com and fails at this is not resolvable externally.

    What is the best way to ensure internal and external access using a single identity provider?

    Wednesday, May 25, 2016 1:37 PM
  • Found the following article which may help and fits with Alex saying we want a single identity provider. I have created a new relying party trust in ADFS with the external url and urn identifier and will use the following commands on SharePoint to add the additional external url and create new realm for it:

    $tp = Get-SPTrustedIdentityTokenIssuer –Identity “<Your Provider name here>”

    $uri = new-object System.Uri("<your HNSC URL>")
    $tp.ProviderRealms.Add($uri, "<your Realm for the newly created Relying Party>")


    Sounds like what we require and makes sense, will attempt this shortly.

    Wednesday, May 25, 2016 2:17 PM
  • Adding to the current Identity Provider worked as above.
    Thursday, May 26, 2016 2:18 PM