ADFS, SharePoint On-prem - adfs

We have a SharePoint 2016 farm with 8 servers. Also, the load balancer server is functioning to balance the request between the web-front-end server(s). The web application is configured to use the ADFS as an additional authentication provider while the default is "Windows Authentication NTLM" also using at the same time in the default zone. As the web application has two authentication providers - ADFS and Windows - every time the user has to select the authentication method. If "Windows auth" is selected the user will enter his or her internal Active Directory account manually to login into and if the user selects ADFS, request go to ADFS and redirecte to Azure login as the relying party and a claim is configured. The ADFS thing is ok for me as it is working as expected.
But I want to resolve the intranet users in intranet network itself (Pass-Through Authentication). As we know ADFS has the capability to authenticate intranet users in company networks by setting up the ADFS property by Set-AdfsProperties -IntranetUseLocalClaimsProvider $true to have all intranet users use AD and not be redirected to Azure AD but somehow it's not affecting anything. The cmd is runing successfully but not working.
Is there any additional configuration related to ADFS or SharePoint which needs to be done to archive pass-through authentication or autologin for intranet users who have logged into the machine using AD accounts?
enter image description here

Related

Can I use forms authentication if machine is not part of a domain?

I have successfully configured forms authentication in an ASP.NET website and able to login using my domain's account. I am now deploying to out UAT server which is hosted on Amazon, UAT server is not part of a domain and it is on a workgroup, I have created a local user and trying to login but unable to login. I am have tried these user name combinations
machinename\username
.\username
username
Can I use forms authentication if machine is not part of a domain?

ASP.Net Application SSO with ADFS

My Application in ASP.Net 4.0 Webform version. Application runs on SAAS based model. Deployed on Internet.
One of the client wants to use ADFS for SSO implementation.
When user logged in domain local intranet and try open Application deploy on Internet then he should be automatically logged into the application.
Process Flow will be
User Logged into Domain
Open Browser and try to open Internet application
Authenticate user with ADFS and Valid user then return the Claims
Any Blog or MSDN - how to configure ADFS (we did at our end but when user redirected to ADFS it again ask for Login from ADFS).
How to achieve this?
You are talking about IWA - refer this (page down).
Note this is browser functionality.
Create RP trust here.

How to fallback authentication from ADFS to form-based

We have an ASP.NET application using Forms authentication (ASP.NET Membership). Now we would want to make it to be claim-aware ASP.NET application in below scenario:
ADFS acts as an IP-STS for intranet (AD) users
If AD User is not mapped to ASP.NET Membership User or mapped ASP.NET Membership User does not have permission to access application --> Fallbacks to form authentication (an external IP-STS)
If end-user accesses the application from outside the domain, we don't want ADFS to prompt for Windows Credentials. We would like redirect end-user to out external IP-STS using form authentication.
Is this scenario achievable? Or is there any other possible solution? And how should I setup/configure my application?
Thanks
The classic solution to this problem is to have two ADFS with a split DNS.
Internal users redirect to an ADFS in the Intranet configured for WIA.
External users redirect to an ADFS in the DMZ configured for FBA.
For your second point, not clear if internal or external user.
If external (i.e. FBA) then you can modify the Forms login page, access AD yourself and redirect appropriately.

ADFS 2.0 for the users to access through intranet and inetrnet

I am developing an ASP.NET Web application which should be accessible to the users who can access from both intranet and internet. Could you suggest the approach to implement this with ADFS 2.0.
The requirement is when users are logged in in the intranet the authentication to the app should be seamless without giving user id and password. Whereas for the same users if they are accessing out side intranet it should take email id and password as creditentials and authenticate.
You can put an ADFS proxy in front of ADFS for external users which by default uses Forms.
Internal users will get Windows Auth.
ADFS out-the-box only allows authentication with user name.
You would have to do some custom development - refer Adjusting the Home Realm Discovery page in ADFS to support Email Addresses.

Single sign on between ASP.NET app and Office365 with on-premise ADFS STS

I'm building an ASP.NET web app that authenticates users with Windows Identity Foundation.
The organization has an on-premise ADFS STS. Their Office365 authenticates through Microsoft Federation Gateway with the on-premise STS. The new web app will also authenticate against the on-premise STS with WIF.
Can I establish silent single sign on between the new app and the Office365 environment? So the user will not have to log into Office365 once he is logged into the web app and vice versa.
Yes, you should be able to accomplish this by federating your ASP.NET application with Office365 directly. As you probably already know, typically the way this works is you have Office365 synced to on prem AD, and you have a trust set up with the on-prem ADFS server. When you're signing in to your web application the user gets redirected to Office365 to type in their UPN (typically the email address). Office365 uses that to figure out which on-prem ADFS server to redirect you to.
If you're logging on from within the domain, you get authenticated right away via windows integrated auth. ADFS will redirect you back to Office365 to establish a session, and Office365 will log you in to the application itself. If you're outside of the domain, you'll need an ADFS external proxy set up. There, instead of windows integrated auth, this special ADFS proxy will prompt the user for corporate credentials, and then redirect back to Office365 in the same way as before.
Here's a nice whitepaper that explains all of this in more detail:
http://www.microsoft.com/download/en/details.aspx?id=28971

Resources