Publish Mysite with ADFS and WAP 2019

Sheldon D'souza 96 Reputation points
2021-11-27T15:09:09.737+00:00

Our previous environment had SharePoint 2013 Publishing Portal and Mysite Site Collection on the Same Web Application.

What we did then was to create SPN for the SharePoint Application Pool Service Account and add it under the Delegation tab of the Web Application Proxy Server. After that, we configured Non-Claims Aware Rule for the SharePoint URL in ADFS and created an ADFS Authenticated Publishing Rule for SharePoint Portal in the WAP Server.

SharePoint Site was extended and the extended site had authentication changed from NTLM to Kerberos. Both SharePoint 2013 and MySite worked Externally.

Currently, we have the following Separate Web Applications:

  1. SharePoint 2019 Communication Site Collection (Extended with Kerberos Authentication and ADFS Non Claims Aware and WAP ADFS Authentication Publishing Rule Created)
  2. MySite Host Site Collection

Want to publish Mysite via ADFS and WAP. (Mysite in on another Web Application)

Have added the MySite SPNS to the Application Pool Account that runs both SharePoint Portal and My Site. I have also created a Non-Claims Aware Rule for My Site too in ADFS.

I have extended the Mysite with Kerberos Authentication and have an external DNS record for the Mysite Host created But do I have to create an ADFS Authenticated Publishing rule for Mysite in WAP? If I do this, would the user have to login into another ADFS Login Page? Is this the right way? or should I just use a Passthrough Rule?

Have used the following guide: http://www.sharepoint4developers.net/en-nz/post/wap-adfs-sp2013-kerberos.aspx (However the WAP Rule for Mysite is not mentioned)...

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
958 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,365 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Allen Xu_MSFT 13,521 Reputation points
    2021-11-29T07:17:03.43+00:00

    Hi @Sheldon D'souza ,

    As I don't have a environment which integrates with ADFS and WAP, I am not able to have a test on my side for you. You can open a ticket with Microsoft, experts there will give you instant help and professional suggestions.

    ----------

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  2. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2021-11-29T23:14:52.09+00:00

    When publishing a non-claim aware application with WAP you need to:

    • Create a non claim aware relying party trust in ADFS
    • Crate a publication for the site in the WAP console (referencing this relying party trust) using ADFS pre-authentication.

    There are some examples here: https://learn.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication


  3. Sheldon D'souza 96 Reputation points
    2021-12-16T19:36:26.973+00:00

    Found out that you do need to create a WAP Publishing Rule for Mysites too. Whereas the authentication goes, since both SharePoint and MySites are on separate Web Applications, will the external user need to authenticate twice, firstly for the SharePoint Site and Secondly for the MySite Employee Profile. The answer to that is no, as once the user is authenticated via ADFS, access to both SharePoint Portal and Mysites is granted via SSO.

    No comments