Here is a quick guide how to publish and configure AD FS Service via Windows Application Proxy (WAP, which is former AD FS proxy). I assume that you have your AD FS farm instance up and running.
1. AD FS instance installed and configured
2. WAP server W2012 R2 OS installed and server at workgroup
3. certificate (in my case sts.monae.info) copied to WAP server
4. name resolution working from WAP to AD FS instance. I used host-file to confirm name resolution functionality
When installing WAP server launch Server Manager and select Add roles and features
Configure Pass-Through authentication
“Web Application Proxy also allows pass-through preauthentication, which enables you to publish applications that do not require preauthentication or whose clients do not support the available authentication capabilities”.
When you publish applications through Web Application Proxy, the process by which users and devices are authenticated before they gain access to applications is known as preauthentication. Web Application Proxy supports two forms of preauthentication:
• AD FS preauthentication—When using AD FS for preauthentication, the user is required to authenticate to the AD FS server before Web Application Proxy redirects the user to the published web application. This ensures that all traffic to your published web applications is authenticated.
• Pass-through preauthentication—Users are not required to enter credentials before they connect to published web applications.
Pass-through preauthentication has no impact on whether an application requires users to provide credentials to the application. That is, an application configured with pass-through preauthentication does not require users to enter credentials to get into the corporate network, but may require users to enter credentials to view the application content.
Workplace Join functionality
1. sts.monae.info A record in DNS (contains IP address of the AD FS server. This is needed during AD FS farm installation)
2. enterpriseregistration Alias (CNAME) which points to sts.monae.info
3. AD FS instance needs certificate which contains following details (examples from my test lab)
a. Common name – sts.monae.info
b. SAN – sts.monae.info
4. Configure AD FS to allow Device Registration
5. Windows 8.1 client at workgroup
6. Domain user account which has permission to application
7. Application which supports claims. I configured my own application with this guidance http://technet.microsoft.com/fi-fi/library/dn280939.aspx
Perform following commands with PowerShell at AD FS server
if Proxy is in use perform following command at Proxy servers
My test user doesn’t have to authenticate separately with form based authentication to ADFS (application might still require credentials). Reason for this is that I configured AD FS Proxy with “pass-through Pre-authentication” and in that circumstances user credentials are not required. “Device Authentication” is also enabled in AD FS Service and Computer can be identified and joined to Workplace with this new and cool feature.
There were couple of issues that I want to bring forward. First one was certificate revocation checking. I was not able to join my laptop to workplace before I disabled revocation checking feature from IE (I was getting event Id 102 to Workplace Join log).
Second one was device authentication error after Computer was joined to workplace. It caused the login through the federation servers to fail, and the event id 364 was logged on the ADFS servers. At the end of the event logs “Exception Details” first line it said: MSIS5000: Authentication of the device certificate failed.
Extended Protection needs to be disabled on the ADFS Servers because it is unsupported with Integrated Authentication.
Disabling Extended Protection is done by running this powershell command on the primary ADFS Server:
After command you have to restart all AD FS server of the farm