ADFS External access - new and trying to find some guides/guidance
For the most part I have ADFS working when accessed internally. However the main purpose for us implementing ADFS was for external access.
We want to have ADFS be the primary authentication method for employees who have no VPN, or access to the domain to still be able to login to SharePoint. Preferably via PIN prompt. I am looking for some documentation to figure out what route to go for troubleshooting our current configuration.
Browser : Chrome
External access - when I hit url/adfs/ls/idpinitatedsignon directly (not from sharepoint) I select sign in goes right to username and password prompt instead of PIN
username and password is accepted when I enter it.
Now with IE due to group policy etc i can force a PIN prompt but it is not accepted even though I know it is correct does not matter if I use an AUTH cert, email cert it will not work
What is the PIN prompt you are talking about? The PIN for smartcard/certificate authentication? Or something else?
Apologies I posted that question terribly, and was distracted. Yes for the Smartcard authentication
We kind of got thrown into this project however to our understanding we could achieve the following.
No VPN between the external user and the SharePoint on-premise server
ADFS could allow us to provide PKI login to the SharePoint
I am assuming the issue is with how my fellow co-worker has configured ADFS/extranet
Assuming smart card authentication and you've enrolled/issued smart cards to your user base, the external ADFS behavior will be impacted according to what Extranet authentication methods have been configured (in this case certificate authentication).
So we had a co-worker explain that we would need SAML to achieve what we were hoping for but did stress it was possible. Well they had some issues and needed to relocate/change jobs before we even got to really dive into this at that time we were still getting TFS installed.
Cloud has DC (domain controller), ADFS, SP (SharePoint) -) those servers have the ROOT and intermediate certificates (generally pushed via group policy) and for explanation we will call it "domain.com" We have modified AD to have SAN (Subject alternative Name) represented which is "email@example.com" but we also do have the email now available. PLEASE NOTE Neither SAN or Email on ender user certificates are based off our domain. Based off the ROOT CA. (Confusing fun stuff)
End users have smart card readers/cards with client certs issued from those ROOT CA.
Sign in to comment