ADFS 2.0 (for office365) configuration questions

Posted on 2014-03-17
Last Modified: 2014-03-20
Hi all,
Ok - so I apologize in advance - this is a few questions rolled up into one - but here goes...

We have an Office365 E subscription. Its been setup for a while now, and working well. We have DirSync and ADFS setup for "SSO", which works. However, I am not sure if it works in the best possible manner.

We have ADFS deployed on our local LAN here. One ADFS server and one ADFS Proxy server (in a DMZ). However, for the domain that we have federations setup for, we do not have internal DNS, only external. This domain is configured in AD as a UPN suffix, and all users use it. For example, our AD domain is:
NetBIOS Name: Internal
AD FQDN Domain:

The UPN we are using is just
We do not have internal DNS for the CORP.COM domain.

So, when ADFS was setup, and we created the external DNS record for, we ended up implementing DNS doctoring on our Cisco firewall to deal with it. So, it has always been that I have a consistent experience whether on site or remote; When I open a browser and navigate to
1. Land at the Office365 Login Page; I put in my username
2. Get redirected to, and enter my credentials
3. Get redirected back to the Office365 resource.

As I said, this works just fine. However, I am "learning" that if I am on the local LAN, I should not have to go through all of that. I should be authenticated more seamlessly (i.e. not have to see both the Office365 login screen and the STS login screen)? Is this true?
Question by:nacAdmin
  • 6
  • 5
LVL 39

Expert Comment

ID: 39935127
It can be true.

For users on the local LAN and for the ADFS proxy in your DMZ, "" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "" should resolve to the public IP that gets directed to your ADFS proxy.

The process that you're seeing above is forms-based authentication, which is what the ADFS proxy uses.  If you use Windows Integrated authentication, then it is possible to skip entering credentials on the forms page.  The ADFS proxy cannot use Windows Integrated authentication, but the ADFS can.  Furthermore, your browser has to be configured to trust the FQDN "" to pass on the credentials automatically, otherwise you will still get a prompt for credentials (just not the forms page).

Author Comment

ID: 39935228
Thanks for the response @footech

So, the first part of your response:
For users on the local LAN and for the ADFS proxy in your DMZ, "" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "" should resolve to the public IP that gets directed to your ADFS proxy.
... We do achieve this with the DNS doctoring I mentioned - so external clients resolve to the public IP, and internal LAN clients to the internal IP.

The second part of your response - I am not sure if I understand completely (what the experience could be...

So, if I am on the local LAN, and I navigate to
1. One the portal sign in page, I enter my user name ""
2. I am redirected to the page, but - with the proper config - integrated auth happens, and I am directed back to the Office365 resource.

If everything is setup properly, is this an achievable end result? Or did I misunderstand?

LVL 39

Expert Comment

ID: 39935496
So when you enter a user at, and then go to enter the password it says "Redirecting".  If you actually get redirected to another page in the browser to enter credentials, that is forms-based auth.  But if you get a pop-up to enter credentials, that is Windows Integrated auth.  I'm not clear on which one you are currently experiencing (particularly with internal clients).

If you're not getting the second one, then some adjustments need to be made.

When you have Windows Integrated auth. allowed, and the browser properly configured, then the process is:
1. On the portal sign in page, I enter my user name "".  After it says "Redirecting"
2. the browser automatically passes the credentials of the logged on user and you arrive at the OWA page.

Author Comment

ID: 39935531
@footech -

Sorry if I wasn't clear...

I am not getting any pop-ups for integrated auth at any point; I only get the forms auth based page from ADFS Proxy (when internal and external).

So, aside from configuring my browser, would there be anything I have to do on ADFS Proxy?

LVL 39

Expert Comment

ID: 39935598
Odd that you're not getting a pop-up, as that would be the default configuration.  There will be no need to change anything on the ADFS proxy.  On the ADFS, in IIS Manager, go to site>adfs>ls, and go to Authentication.  You should have settings as in the screenshot.
Auth settings
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Author Comment

ID: 39937342
Thanks @footech; Yes, this is exactly the same config on my ADFS server.
LVL 39

Accepted Solution

footech earned 500 total points
ID: 39937962
Then the only reason I can think of right now that you aren't getting the pop-up for Windows Integrated auth is DNS.  I would try adding an entry to your HOSTS file as a test, for "" pointing to the internal IP of the ADFS.  Then run ipconfig /flushdns, and then observe the logon process again.

Author Comment

ID: 39943787
Thanks again for the response... Finally getting back to this :)

I think I tried this, but I might have added a hosts file entry and pointed it to the internal IP address of the ADFS Proxy instead... You suggestion was to do the same for the internal IP address of our ADFS (not the proxy)? I will give that a shot...

Author Comment

ID: 39943964
@footech -

Thanks much... I added a hosts record to point at the internal IP address for our ADFS server and that did the trick... thanks so much!

As an aside - I am realizing that there is no real difference between an ADFS Proxy and the ADFS Server itself, except for maybe the config database? Interesting.

Know of any really good books on ADFS? :)

LVL 39

Expert Comment

ID: 39944037
Since the host file worked, I would take that to mean that the DNS doctoring isn't doing what you want it to.

There are a couple caveats with using Windows Integrated authentication.  If you have Extended Protection for Authentication enabled on the ADFS, you can't use Chrome to authenticate to O365.  If you really want to use Chrome, then you either need to set Extended Protection for Authentication to disabled on the ADFS in IIS Manager (go to site/adfs/ls > authentication > windows authentication > advanced settings > set to "off"), or you can run the following on a client.
reg add HKLM\System\CurrentControlSet\Control\Lsa /v SuppressExtendedProtection /t REG_DWORD /d 1 /f

Open in new window

Firefox works with it set to "Allowed" (in IIS).  I haven't tried what works when it is set to "Required".

Here's the settings that need to be configured for IE and Firefox.
a.      IE – add site “” to Local Intranet zone.  Make sure “Enable Integrated Windows Authentication” is checked under Advanced Options.
b.      Firefox – go to “about:config”, type in “auth” to narrow the list, double-click the entry “network.automatic-ntlm-auth.trusted-uris” to edit and enter “”

Sorry, I'm not familiar with any books on ADFS.  The ADFS and ADFS proxy are pretty alike.  Just a little difference in the IIS config, and the config of ADFS software itself.

Author Comment

ID: 39944060
@footech -

Thanks. Actually, the DNS doctoring is doing exactly what it was configured to do, but what it was configured to do it seems is  not entirely correct :)

The DNS doctoring deals with the fact that I do not have an internal DNS zone for this particular domain, so when I query public DNS for, the DNS doctoring sees that request (which is pointed to the public IP address of the ADFS proxy), and gives me the internal IP address of that same server - the ADFS Proxy server.

Anyway, I still likely have some config issues to work out in both ADFS and with our Cisco ASA, but alas.

I keep thinking that I should change it all to just have DirSync sync passwords as well, removing the requirement for ADFS, but something tells me keeping ADFS around can be useful for future SSO opportunities - SFDC... Taleo... etc. :)

Thanks so much!

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Destination host unreachable 12 67
Do we need servers??? 5 190
PHP7 and Sql Server Windows 2008 R2 13 85
Does Radius Server need to be AD server? 3 25
Recently, I was asked to look into SCCM 2007 by my employer, having a degree of experience of earlier versions of SMS and some previous SCCM knowledge I didn't expect the procedure to involve to much time. I read a number of guides concerning it…
If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now