ADFS Woes

We have implemented ADFS for a few federated cloud services.  It works great internally.  Our federated partner sites log users in seamlessly as expected, without requiring a username or password.  It passes the user directly into his or her online profile.  Flawless.

However, the experience breaks down a bit when logging into the same services externally.  Instead, in order for the user to sign in, I have to disable "automatic login" for trusted/intranet sites and instead select "prompt for username and password."

Is there anyone out there with more ADFS savvy than I, who can tell me if transparent login can be configured for a domain-joined laptop that is being used remotely to access federated resources?  Or will my laptop users be forced to disable automatic login so they can work remotely?  

Does anybody have any suggestions for how to tackle this issue?  Right now, I've basically had to force laptop users to enter their username and password to access these sites, even inside the office, so their access also works outside.  Since I'm very new to ADFS, I'm not sure if a cached network login on a remote domain-joined laptop will be able to authenticate as it does when on the domain.  Evidence certainly doesn't point to the contrary at this point.

Help!
NateR78Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JonathanSpitfireSenior Solutions EngineerCommented:
Hi NateR78!

The short answer is no, not really....however, it kinda depends....so....maybe.

When connecting over the Internet, you're hitting a Proxy, not your ADFS servers directly (assuming your configuration is setup properly). BY DEFAULT the Proxy uses FBA, which means the user will have to login interactively.

However....it is possible to setup TLS, but this is an all or nothing proposition, and introduces complexity. ALL of your users will have to have the correct certificate on their machine....but if they have more than one cert in their store they will be prompted to choose the correct cert.

You could have your user use VPN or DirectAccess to connect as though you are internal, but then that defeats the purpose of having a Proxy in front of ADFS, and introduces a step, which likely would require authentication.....so why do it if you have to authenticate anyway?


Here's a Microsoft blog that goes into WAY more detail. To be honest I don't know anything more about the TLS setup for ADFS because I've never done it. I don't need to, and my users are fine with logging in when they are outside the network.

TechNet Blogs - More information about SSO experience when authenticating via ADFS

Hope this helps,

Jonathan
NateR78Author Commented:
I can live with users who are remote having to enter their username and password.  However, when those users come to the office, I would like them to not be required to do that.  I haven't quite figured out how to accomplish this... the option "Automatic login only in Intranet zone" seems to imply exactly what I'm trying to do.  That said, when that setting is enabled, automatic login works when on the local network, but user gets "page cannot be displayed" when NOT on the local network.  When "prompt for username and password" is enabled, it works both inside and outside the office, but requires a user to do that in both scenarios.

What am I missing??
JonathanSpitfireSenior Solutions EngineerCommented:
Are your internal domain and your external domain names the same, or are they different?

eg: contoso.com versus contoso.corp

Also, what OS version and IE version are your clients running?

Have you installed and tested the Microsoft Online Services SIgn-In Assistant?

If they are NOT running Office 2013, (Office 2013 does not require this to be done, only 2010 and lower require it), I would suggest that you run the Office 365 desktop setup to configure the desktop applications and install required updates, which also updates the Microsoft Online Services Sign-In Assistance installation package. If Microsoft Online Services Sign-In Assistant hasn’t been installed, during running the Office 365 desktop setup, it will be installed accordingly.

To run the Office 365 desktop setup, sign into Office 365 portal (https://portal.microsoftonline.com/) with the Office 365 ID, and then click the upper-right corner Settings>Office 365 Settings>Software>desktop setup>set up.

Hope this helps,

Jonathan
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

NateR78Author Commented:
We have differing internal and external domains.  This is not for Office 365, but other third-party services (Mimecast, ShareFile, and Net Documents are the main ones).
JonathanSpitfireSenior Solutions EngineerCommented:
understood. It is sounding like a client side issue, (Internet Explorer security settings. By the way - what version are you using? or are you trying to use a different browser?)

I'm betting you have, but I'm gonna ask anyway - have you followed the guidance in these articles? The one for Citrix explicitly states that the authentication should be silent. (very end of the document)

Mimecast - Enable ADFS SAML Single Sign-On Authentication

Citrix - Configure ShareFile Single Sign-On with ADFS

NetDocuments Federated Identity Deployment Guide

Hope this helps,

Jonathan
footechCommented:
You do have both an ADFS Proxy and internal ADFS, correct?

Check out the web.config file located under C:\inetpub\adfs\ls
On the ADFS Proxy, you should have a section for authentication types like this.
  <microsoft.identityServer.web>
    <localAuthenticationTypes>
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    </localAuthenticationTypes>

Open in new window

On the ADFS it should be
  <microsoft.identityServer.web>
    <localAuthenticationTypes>
      <add name="Integrated" page="auth/integrated/" />
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    </localAuthenticationTypes>

Open in new window


Internal users should only reach the internal ADFS and use Windows Integrated auth (with the browser configured correctly credentials will be passed silently, with the browser not configured you should get a Windows prompt for credentials).  External users should reach the ADFS Proxy and use FBA - entering credentials in a webpage vs. in a Windows prompt.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JonathanSpitfireSenior Solutions EngineerCommented:
good post footech. My original post stated the assumption that a proxy was in play, but I never came out and point blank asked the question.

If a proxy is not in play, or if the proxy is misconfigured, then that would explain the issue as well.

Thanks for adding that info, its good stuff.

Jonathan
NateR78Author Commented:
Thanks for the explanation.  This solved my problem!  Much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.