1

I have the following setup- we use an external, third-party load balancer to forward traffic to one of our two ADFS Proxies (in the DMZ) which in turn forward to one of our two ADFS servers. Internally, SSO works if we point directly to the ADFS servers, but we get a secondary signon box when pointing at either the load balancer or the ADFS proxies. Signing in will work, but we're beating our heads against the wall trying to figure out why we're running into this.

Certs all seem to be fine. I'm out of ideas on what we would need to look at. Any suggestions? Thanks in advance.

The ADFS and ADFS Proxies are all Windows Server 2012 R2, fully patched.

Michael Kennedy
  • 43
  • 1
  • 1
  • 7

1 Answers1

2

The best way for you to get around this is to use smart links for automatic realm detection. Chances are you're directing users to O365 portal which does realm detection via username box (you likely dont need to type anything in the password box do just bla@yourdomain.com in username and it'll forward you to your sso/adfs login page [wap] on focus change to password box)

If you create a smart link and host that you'll find internally you'll get immediate WIA auth and externally straight to the wap.

Great article for it HERE, even though it says ADFS 2.0 it still counts for 3.0 and it goes through the url rewrite stuff to make your O365 link pretty again too.

Catalyst
  • 21
  • 3