locked
ADFS 3.0 Form Based Authentication is not working properly from internet RRS feed

  • Question

  • Hi,

    We have 2 ADFS 3.0 servers load balanced by F5. F5 is behaving as a proxy as we don't have WAP for our ADFS farm. Currently Windows Integrated Authentication is being set for intranet and Forms based Authentication is being set for extranet users in ADFS. Forms based authentication works fine when you access ADFS URL from Mozilla or FireFox but when you use IE you get a Windows Integrated Authentication prompt from internet. We are unable to understand and troubleshoot why user's are getting Windows Integrated Authentication from internet although we have FBA when traffic is coming through internet.Is there something i am missing in my configuration?

    Any suggestion will be highly appreciated. Thanks.


    Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

    Wednesday, August 27, 2014 10:17 PM

All replies

  • For some reason ADFS only sees traffic coming from WAP as "Extranet" traffic. Maybe you can check if WAP sends some kind of header towards the ADFS server and you are able to script the F5 to also send that header?

    There is a free full demo enviroment availlable including ADFS 2012R2 + WAP server + clients over here which runs from your browser:

    http://go.microsoft.com/?linkid=9842896 

    Maybe you can capture anything over there about the inner workings of ADFS detecting Extranet Traffic?


    Find me on linkedin: http://nl.linkedin.com/in/tranet


    • Edited by Robin Gaal Thursday, August 28, 2014 7:50 AM
    Thursday, August 28, 2014 7:50 AM
  • Robin,

    Thank you for your kind response. But i am not satisfied with this design of ADFS that if we don't have WAP then ADFS will consider all the traffic coming to ADFS servers as intranet not extranet. Do we have this written somewhere in technet? Thanks.


    Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

    Thursday, August 28, 2014 9:08 PM
  • Hi

    I am also seeing this behaviour. What is strange is that I have another system, setup in an identical way and this work perfectly, even in IE - that is we get Intergrated (seamless) authentication internally and Forms authentication externally. I just can't see why this is happening.

    Ben

    Thursday, October 23, 2014 4:32 PM
  • Considering the WIA agent settings are left default it works as follows:

    Internal network:

    IE: Intergrated Auth is enforced when talking directly to the ADFS servers.

    Firefox/Chrome: Form based is enforced when talking directly to the ADFS servers.

    External network when ADFS is published with WAP:

    Firefox/Chrome/IE: Form based is enforced when talking directly to the ADFS servers.

    External network when ADFS is published with other proxy technologies:

    Acts identical to internal network scenario being

    IE: Intergrated Auth is enforced when talking directly to the ADFS servers.

    Firefox/Chrome: Form based is enforced when talking directly to the ADFS servers.

    Friday, October 24, 2014 12:08 PM
  • Hello together,

    According to this article "Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy" (unable to post links yet, so search it on Technet ):
    "An HTTP header (“X-MS-Proxy”) MUST be added to any request under /adfs. The value of the header should be the proxy machine host name. For example, the following header would be added to a request which is handled by a proxy running on PROXY-MACHINE: ‘X-MS-Proxy = PROXY-MACHINE’"

    This appears to be valid also for ADFS 3.0.

    We're also testing third-party proxy and by modifying the header allows our ADFS recognize requests coming from proxy as from External location and this bring us to Form-Based Authenticaton.

    OK

    Sunday, November 16, 2014 6:14 PM
  • Oleg, how did the test go? Any other learning points?

    I've got a similar case with IronPort Web Appliance, and it would be great to know this works before attempting to fiddle with headers :)

    Thursday, December 4, 2014 7:46 AM
  • has anyone been able to test this with f5. any instructions on adding the header?

    Thanks,

    Tuesday, January 6, 2015 10:17 PM
  • I did something really similar to this in my test environment for another reason, but close.   Here is what I had to do.

    Setup the F5 profile to be an HTTP profile with SSL termination.   You must do this in order for the F5 to be able to modify the HTTP header.   Therefore the SSO cert with the private key must be on the F5 so that it can re-encrypt the data to send it on.  

    WARNING:  This configuration will break the Web Application proxy due to the proxy certs between the WAP and ADFS which expire every 2 weeks.  If you are using a WAP through the F5 as well, you must configure a separate configuration with a different VIP for the WAP connection.   It should be Fast Layer 4 configuration so that it will just pass the traffic straight through from the WAP to ADFS. (using a host file entry to point to the different VIP)   This will allow the WAP to continue to function.

    In order to modify the HTTP header for the client to ADFS requests, you need to put in a iRule on the F5 HTTP profile that looks like this:

    when HTTP_REQUEST {

         HTTP::header insert X-MS-Forwarded-Client-IP [IP::client_addr]

    }


    Friday, March 13, 2015 5:06 PM
  • Sorry for the late update guys but the issue is being resolved. Issue was with the network device and once we resolve the issue with network everything works fine. Thanks for your feedback though.

    Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

    Thursday, April 2, 2015 4:59 PM
  • What network device are you referring too RjButt?  What was the issue?
    Wednesday, April 22, 2015 1:38 PM