Publish SharePoint to internet via WAP / ADFS

Sibylla 1 Reputation point
2020-12-09T13:08:58.127+00:00

Hello together,

we are going to publish a SharePoint Website (on-premise) to the WWW via Microsoft Web Application Server / ADFS. Question, WAP is redirectiong the request to the ADFS login and the URL changes. Can this be avoided? We don't want to change the URL, we would like to have the whole request as one URL from the WAP. Many thanks in advance!

Microsoft 365 and Office | SharePoint Server | For business
Microsoft Security | Active Directory Federation Services
{count} votes

4 answers

Sort by: Most helpful
  1. Echo Du_MSFT 17,316 Reputation points
    2020-12-10T01:52:24.42+00:00

    Hello @Sibylla ,

    Please follow steps to publish SharePoint Site externally using Web Application Proxy ​(WAP):

    Step1 Configure SharePoint Web Applications to use Kerberos authentication

    Step2 Install and Configure WAP and AD FS

    Step3 Create a non-claims aware relying party trust

    • When ADFS and WAP servers have been built, the next step involves configuring ADFS so that Internet can handle the authentication of external users against your SharePoint web applications.
    • The following steps:

    1) Within the ADFS Management console click Add Non-Claims-Aware Relying Party Trust on the left hand side of the screen.
    2) Click Start on the first page and then enter a name such as "Non-claims provider for SharePoint".
    3) In the Add Non-Claims-Aware Relying Party Trust Wizard, on the Welcome page, click Start.
    4) On the next page click next and when prompted to enter a relying party trust identifier, enter any URL (it really doesn't matter what this, but useful to be something you recognize).
    5) Click Next, Next, Next and finish, and when the Edit Claim Rules window appears, click Add rules.
    6) On the Edit Claim Rules click Add Rule, and from the drop down select Permit All Users and then click Next and then Finish.


    Step4 Configure constrained delegation

    Step5 Publish SharePoint Web Applications in WAP

    Step6 Verify external access to SharePoint Web Applications

    More information, please refer to the below article:

    Thanks,
    Echo Du

    ======================

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.

  2. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2020-12-09T18:32:05.333+00:00

    There are different ways to integrate with SharePoint.

    1. You can configure Sharepoint to use ADFS for authentication instead of Windows Integrated Authentication. It has some effect has it changes the way the people picker works. And probably other side effects.
    2. You can publish Sharepoint as a Kerberos application through WAP (aka Non claim aware application in ADFS/WAP).

    For that 2 point, the URL can (even should) be the same. It would be a split brain DNS situation.

    • When users are connected on-prem, the URL of your Sharepoint server will point to the IP address of your Sharepoint server (or load balancers).
    • When users are connected on the Internet, the URL of your Sharepoint server will point to the public IP address of your WAP server (or servers behind a load balancer).

    It has some requirements you can find here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-non-claims-aware-relying-party-trust

    1 person found this answer helpful.
    0 comments No comments

  3. Sibylla 1 Reputation point
    2020-12-10T08:10:07.377+00:00

    Hello @Echo Du_MSFT and @Pierre Audonnet - MSFT ,
    thanks a lot for your answers. The authentication via Login is already working.

    But we still have this URL change. The behavior is like in this article https://learn.microsoft.com/en-us/archive/blogs/sambetts/sharepoint-web-application-proxy-2016-edition where you can see that the link changed in the browser to ADFS for the login form
    46759-image.png
    This is happening for us too. We have a rewriting configured before the proxy and this does not work as the URL changes. If I understand your answers correctly it is possible to keep one URL. Where can this be configured?

    Thank your very much.
    Best regards
    Sibylla


  4. Sibylla 1 Reputation point
    2021-01-07T08:48:47.87+00:00

    Hi @Echo Du_MSFT ,

    I changed the following parts:

    • URL in Non-claims-aware relying party trust identifier
    • Publishing the Application in WAP with the new Relying Party Trust
    • Change the internal certificate to the one with the correct URL

    But it still forwards me to the ADFS URL.
    Any ideas?

    Many thanks!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.