This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 43%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKJ%3C/text%3E%3C/svg%3E)
We have a SharePoint 2016 web site which uses forms based authentication for users. Recently I was asked to implement MFA for the application. I was able to implement Azure application proxy to achieve this. Meaning pre-authentication happens in Azure and once the user gets authenticated he/she will be redirected to the on -premise login page.
1) What are the options available to skip the two login pages and have a single sign on feature.
2) Is there a way to create a azure security token from our login page for each authenticated user and just to have the MFA check only.
( For an instance to call the azure active directory endpoint with the custom created token from code behind)
Any help would be really appreciated.
Would you tell me whether your issue has been resolved or have any update ?
I am looking forward to your reply.
Have a nice day!
Hello, Enable remote access to SharePoint with Azure AD Application Proxy details how to protect your on premise Sharepoint with Azure AD, Azure AD Connect and application proxy, however it requires Windows Integrated Authentication (which relies on Kerberos tickets) and does not support Forms authentication which relies on cookies.
In order to get MFA displayed or requested you have to first input your credentials, you cannot replace this with a security token of any kind.
Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.
Hi anonymous user-msft ,
Thank you very much for the answer. I understand the approach given to enable the single sign on for the windows integrated authenticated user.
The real requirement is to enable for it to our forms based users which is developed using ASP.net membership provider. And I tried with Password-based Sign-On: mode earlier. In that case users had to login twice. Pre authentication with MFA in Azure and then our login page.
That was the reason to ask whether there is a way to perform the pre authentication in our login page first and to redirect to Azure AD next. So the anonymous users also can do the registration in our site.
I feel its not possible from the link you have provided about (Kerberos protocol.) Am I correct on this.
Thank you
Correct, it's not possible.
Hello @Kanishka Jayawardene ,
If you configure Multi-Factor Authentication under Global environment, all users must force use MFA to sign in page.
If you configure Multi-Factor Authentication for each relying party trust, then the corresponding relying party users must use MFA to login in page.
You could refer to the following article:
Thanks,
Echo Du
==================
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.