ADFS 2.1 and Authenicating Computer Accounts

Can ADFS be used to authenticate computer accounts? If so has anyone does this before. I have only used it with user accounts before.
LVL 21
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No, ADFS cannot authenticate computer accounts

Basically it is used for user authentication from anywhere (external / internal) and computer account never comes in picture
btanExec ConsultantCommented:
Computer account can probably be supported but specific to implementation and support by server/client build (Win2012 and Win8).

ADFS tends to authenticate based on claims using SAML token. The token will contain the User credential whom is uniquely identifying the requestor instead of computer account, that is not necessary unique. So user account is already supported in most implementation.

However, in implementation using the ADCS claim in ADFS, computer account attributes in addition to user account attributes from within AD DS can be included in the token. E.g. AD DS issued claims can be used with AD FS to access both user and device claims directly from the user’s authentication context, rather than making a separate LDAP call to Active Directory. See
As an extension to the Dynamic Access Control scenario, AD FS in Windows Server 2012 can now:
Access computer account attributes in addition to user account attributes from within AD DS. In previous versions of AD FS, the Federation Service could not access computer account attributes at all from AD DS.

Consume AD DS issued user or device claims that reside in a Kerberos authentication ticket. In previous versions of AD FS, the claims engine was able to read user and group security IDs (SIDs) from Kerberos but was not able to read any claims information contained within a Kerberos ticket.

Transform AD DS issued user or device claims into SAML tokens that relying applications can use to perform richer access control.

Dynamic Access Control featured in Windows 2012 only as above. And to add, Device claims are supported in Windows 8clients only. See device claim -
compdigit44Author Commented:
So if I am understanding everyone correctly user cause authenticate computer account but only if the source domain is Windows 2012 R2 which support claims... am I correct
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

David Johnson, CD, MVPOwnerCommented:
you need both ends of the puzzle.. the computer and the server component that support the additions
btanExec ConsultantCommented:
ADFS should already be doing claim based SAML token as it is.
User account is the main one, machine account is used as explained prev. As long as Kerberos token are involved, machine acct can be considered if req. If not you are doing user as per below link usually
Normally if you have Web Application Proxy (WAP) to do via Kerberos Constrained Delegation (KCD) you will used machine account
compdigit44Author Commented:
OK, now I am confused I know WIndows 2012 cause use claim and support computer account attributes. Are domain is Windows 2008 R2 though I saw Mahesh post which stated that it is not support and other say it is.

Can a server that is in the DMZ used ADFS to authenticate it computer account in AD internally?
David Johnson, CD, MVPOwnerCommented:
Are domain is Windows 2008 R2 - not supported Server 2012 and newer with windows 8 and newer clients: supported. FFL/DFL must be 2012+
compdigit44Author Commented:
What do you mean by FFL/DFL ? Is sounds like with my domain controller running 2008 R2 and only some of the affected servers running 2012 R2 I will not be able to do this correct
David Johnson, CD, MVPOwnerCommented:
Forest Functional Level
Domain Functional Level

And no you will not be able to do this.. I will repeat yet again only Server 2012+ and clients Win8+ are supported.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Thank you for your guidance...
btanExec ConsultantCommented:
thought I already mentioned this that in Win2012 and Win8 ... I am taken aback by the acceptance
Computer account can probably be supported but specific to implementation and support by server/client build (Win2012 and Win8).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.