ADFS 2.0 (for office365) configuration questions

Hi all,
Ok - so I apologize in advance - this is a few questions rolled up into one - but here goes...

We have an Office365 E subscription. Its been setup for a while now, and working well. We have DirSync and ADFS setup for "SSO", which works. However, I am not sure if it works in the best possible manner.

We have ADFS deployed on our local LAN here. One ADFS server and one ADFS Proxy server (in a DMZ). However, for the domain that we have federations setup for, we do not have internal DNS, only external. This domain is configured in AD as a UPN suffix, and all users use it. For example, our AD domain is:
NetBIOS Name: Internal
AD FQDN Domain:

The UPN we are using is just
We do not have internal DNS for the CORP.COM domain.

So, when ADFS was setup, and we created the external DNS record for, we ended up implementing DNS doctoring on our Cisco firewall to deal with it. So, it has always been that I have a consistent experience whether on site or remote; When I open a browser and navigate to
1. Land at the Office365 Login Page; I put in my username
2. Get redirected to, and enter my credentials
3. Get redirected back to the Office365 resource.

As I said, this works just fine. However, I am "learning" that if I am on the local LAN, I should not have to go through all of that. I should be authenticated more seamlessly (i.e. not have to see both the Office365 login screen and the STS login screen)? Is this true?
Who is Participating?
footechConnect With a Mentor Commented:
Then the only reason I can think of right now that you aren't getting the pop-up for Windows Integrated auth is DNS.  I would try adding an entry to your HOSTS file as a test, for "" pointing to the internal IP of the ADFS.  Then run ipconfig /flushdns, and then observe the logon process again.
It can be true.

For users on the local LAN and for the ADFS proxy in your DMZ, "" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "" should resolve to the public IP that gets directed to your ADFS proxy.

The process that you're seeing above is forms-based authentication, which is what the ADFS proxy uses.  If you use Windows Integrated authentication, then it is possible to skip entering credentials on the forms page.  The ADFS proxy cannot use Windows Integrated authentication, but the ADFS can.  Furthermore, your browser has to be configured to trust the FQDN "" to pass on the credentials automatically, otherwise you will still get a prompt for credentials (just not the forms page).
nacAdminAuthor Commented:
Thanks for the response @footech

So, the first part of your response:
For users on the local LAN and for the ADFS proxy in your DMZ, "" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "" should resolve to the public IP that gets directed to your ADFS proxy.
... We do achieve this with the DNS doctoring I mentioned - so external clients resolve to the public IP, and internal LAN clients to the internal IP.

The second part of your response - I am not sure if I understand completely (what the experience could be...

So, if I am on the local LAN, and I navigate to
1. One the portal sign in page, I enter my user name ""
2. I am redirected to the page, but - with the proper config - integrated auth happens, and I am directed back to the Office365 resource.

If everything is setup properly, is this an achievable end result? Or did I misunderstand?

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

So when you enter a user at, and then go to enter the password it says "Redirecting".  If you actually get redirected to another page in the browser to enter credentials, that is forms-based auth.  But if you get a pop-up to enter credentials, that is Windows Integrated auth.  I'm not clear on which one you are currently experiencing (particularly with internal clients).

If you're not getting the second one, then some adjustments need to be made.

When you have Windows Integrated auth. allowed, and the browser properly configured, then the process is:
1. On the portal sign in page, I enter my user name "".  After it says "Redirecting"
2. the browser automatically passes the credentials of the logged on user and you arrive at the OWA page.
nacAdminAuthor Commented:
@footech -

Sorry if I wasn't clear...

I am not getting any pop-ups for integrated auth at any point; I only get the forms auth based page from ADFS Proxy (when internal and external).

So, aside from configuring my browser, would there be anything I have to do on ADFS Proxy?

Odd that you're not getting a pop-up, as that would be the default configuration.  There will be no need to change anything on the ADFS proxy.  On the ADFS, in IIS Manager, go to site>adfs>ls, and go to Authentication.  You should have settings as in the screenshot.
Auth settings
nacAdminAuthor Commented:
Thanks @footech; Yes, this is exactly the same config on my ADFS server.
nacAdminAuthor Commented:
Thanks again for the response... Finally getting back to this :)

I think I tried this, but I might have added a hosts file entry and pointed it to the internal IP address of the ADFS Proxy instead... You suggestion was to do the same for the internal IP address of our ADFS (not the proxy)? I will give that a shot...
nacAdminAuthor Commented:
@footech -

Thanks much... I added a hosts record to point at the internal IP address for our ADFS server and that did the trick... thanks so much!

As an aside - I am realizing that there is no real difference between an ADFS Proxy and the ADFS Server itself, except for maybe the config database? Interesting.

Know of any really good books on ADFS? :)

Since the host file worked, I would take that to mean that the DNS doctoring isn't doing what you want it to.

There are a couple caveats with using Windows Integrated authentication.  If you have Extended Protection for Authentication enabled on the ADFS, you can't use Chrome to authenticate to O365.  If you really want to use Chrome, then you either need to set Extended Protection for Authentication to disabled on the ADFS in IIS Manager (go to site/adfs/ls > authentication > windows authentication > advanced settings > set to "off"), or you can run the following on a client.
reg add HKLM\System\CurrentControlSet\Control\Lsa /v SuppressExtendedProtection /t REG_DWORD /d 1 /f

Open in new window

Firefox works with it set to "Allowed" (in IIS).  I haven't tried what works when it is set to "Required".

Here's the settings that need to be configured for IE and Firefox.
a.      IE – add site “” to Local Intranet zone.  Make sure “Enable Integrated Windows Authentication” is checked under Advanced Options.
b.      Firefox – go to “about:config”, type in “auth” to narrow the list, double-click the entry “network.automatic-ntlm-auth.trusted-uris” to edit and enter “”

Sorry, I'm not familiar with any books on ADFS.  The ADFS and ADFS proxy are pretty alike.  Just a little difference in the IIS config, and the config of ADFS software itself.
nacAdminAuthor Commented:
@footech -

Thanks. Actually, the DNS doctoring is doing exactly what it was configured to do, but what it was configured to do it seems is  not entirely correct :)

The DNS doctoring deals with the fact that I do not have an internal DNS zone for this particular domain, so when I query public DNS for, the DNS doctoring sees that request (which is pointed to the public IP address of the ADFS proxy), and gives me the internal IP address of that same server - the ADFS Proxy server.

Anyway, I still likely have some config issues to work out in both ADFS and with our Cisco ASA, but alas.

I keep thinking that I should change it all to just have DirSync sync passwords as well, removing the requirement for ADFS, but something tells me keeping ADFS around can be useful for future SSO opportunities - SFDC... Taleo... etc. :)

Thanks so much!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.