Here is a quick guide how to publish and configure AD FS Service via Windows Application Proxy (WAP, which is former AD FS proxy). I assume that you have your AD FS farm instance up and running.

Pre-requirements
1. AD FS instance installed and configured
2. WAP server W2012 R2 OS installed and server at workgroup
3. certificate (in my case sts.monae.info) copied to WAP server
4. name resolution working from WAP to AD FS instance. I used host-file to confirm name resolution functionality

When installing WAP server launch Server Manager and select Add roles and features

Select Remote Access Role
proxy0.2

Press next until you can select “Web Application Proxy”. Select also needed features to be installed
proxy0.3

When installation of WAP has been finished rest of the configurations will be done with configuration wizard. Select publish from the right corner
proxy1

Select next
proxy2

Configure Pass-Through authentication

“Web Application Proxy also allows pass-through preauthentication, which enables you to publish applications that do not require preauthentication or whose clients do not support the available authentication capabilities”.

When you publish applications through Web Application Proxy, the process by which users and devices are authenticated before they gain access to applications is known as preauthentication. Web Application Proxy supports two forms of preauthentication:

• AD FS preauthentication—When using AD FS for preauthentication, the user is required to authenticate to the AD FS server before Web Application Proxy redirects the user to the published web application. This ensures that all traffic to your published web applications is authenticated.

• Pass-through preauthentication—Users are not required to enter credentials before they connect to published web applications.

Pass-through preauthentication has no impact on whether an application requires users to provide credentials to the application. That is, an application configured with pass-through preauthentication does not require users to enter credentials to get into the corporate network, but may require users to enter credentials to view the application content.

proxy3

Configure AD FS instance details. URLs needs to be same and reachable from internet and from internal Network.
proxy4

Confirm your configuration
proxy5

proxy6

Configuration is ready and your AD FS has been published via Web Application Proxy
proxy7

Workplace Join functionality
Requirements:
1. sts.monae.info A record in DNS (contains IP address of the AD FS server. This is needed during AD FS farm installation)
2. enterpriseregistration Alias (CNAME) which points to sts.monae.info
3. AD FS instance needs certificate which contains following details (examples from my test lab)
a. Common name – sts.monae.info
b. SAN – sts.monae.info
c. enterpriseregistration.monae.info

4. Configure AD FS to allow Device Registration
5. Windows 8.1 client at workgroup
6. Domain user account which has permission to application
7. Application which supports claims. I configured my own application with this guidance http://technet.microsoft.com/fi-fi/library/dn280939.aspx

Perform following commands with PowerShell at AD FS server

Initialize-ADDeviceRegistration (with AD FS Service account). My account is normal user account named svc__adfs, not gMSA
DRS-1

Enable-AdfsDeviceRegistration
DRS-2

Get-AdfsDeviceRegistration & Get-AdfsDeviceRegistrationUpnSuffix – you can see that there are no SSL port and bindings set
DRS-3

Set-AdfsSslCertificate -Thumbprint thumbprint (Thumbprint is tb from sts.monae.info SSL certificate)
DRS-4

Get-AdfsDeviceRegistrationUPNSuffix – Now SSL settings are in place
DRS-5

if Proxy is in use perform following command at Proxy servers
Update-WebApplicationProxyDeviceRegistration

Default inactivation setting (before Computers are removed from Service) is 90 days. I set it to 20 days in my test environment
Set-AdfsDeviceRegistration -MaximumInactiveDays days
DRS-6

It’s time to add workgroup Computer to workplace. Name resolution is working as expected
DRS-7

Computer is now joined to workplace
DRS-8

My test user doesn’t have to authenticate separately with form based authentication to ADFS (application might still require credentials). Reason for this is that I configured AD FS Proxy with “pass-through Pre-authentication” and in that circumstances user credentials are not required. “Device Authentication” is also enabled in AD FS Service and Computer can be identified and joined to Workplace with this new and cool feature.
DRS-9

DRS-10

There were couple of issues that I want to bring forward. First one was certificate revocation checking. I was not able to join my laptop to workplace before I disabled revocation checking feature from IE (I was getting event Id 102 to Workplace Join log).

This can be done from advanced IE settings
DRS-11

Second one was device authentication error after Computer was joined to workplace. It caused the login through the federation servers to fail, and the event id 364 was logged on the ADFS servers. At the end of the event logs “Exception Details” first line it said: MSIS5000: Authentication of the device certificate failed.

Extended Protection needs to be disabled on the ADFS Servers because it is unsupported with Integrated Authentication.

Disabling Extended Protection is done by running this powershell command on the primary ADFS Server:

Set-adfsproperties -extentendedProtectionTokenCheck None
DRS-12

DRS-13

After command you have to restart all AD FS server of the farm