This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 22%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Our previous environment had SharePoint 2013 Publishing Portal and Mysite Site Collection on the Same Web Application.
What we did then was to create SPN for the SharePoint Application Pool Service Account and add it under the Delegation tab of the Web Application Proxy Server. After that, we configured Non-Claims Aware Rule for the SharePoint URL in ADFS and created an ADFS Authenticated Publishing Rule for SharePoint Portal in the WAP Server.
SharePoint Site was extended and the extended site had authentication changed from NTLM to Kerberos. Both SharePoint 2013 and MySite worked Externally.
Currently, we have the following Separate Web Applications:
Want to publish Mysite via ADFS and WAP. (Mysite in on another Web Application)
Have added the MySite SPNS to the Application Pool Account that runs both SharePoint Portal and My Site. I have also created a Non-Claims Aware Rule for My Site too in ADFS.
I have extended the Mysite with Kerberos Authentication and have an external DNS record for the Mysite Host created But do I have to create an ADFS Authenticated Publishing rule for Mysite in WAP? If I do this, would the user have to login into another ADFS Login Page? Is this the right way? or should I just use a Passthrough Rule?
Have used the following guide: http://www.sharepoint4developers.net/en-nz/post/wap-adfs-sp2013-kerberos.aspx (However the WAP Rule for Mysite is not mentioned)...
Hi @Sheldon D'souza ,
As I don't have a environment which integrates with ADFS and WAP, I am not able to have a test on my side for you. You can open a ticket with Microsoft, experts there will give you instant help and professional suggestions.
----------
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
When publishing a non-claim aware application with WAP you need to:
There are some examples here: https://learn.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication
I have created a Non-Claim Relying Party Trust for both the SharePoint Web Application and the My Site Web Application
Also created the Publication for the SharePoint Web Application and MySite Web Application in the Web Console with ADFS Pre-Auth
We are waiting for the Public Record Creation from our ISP, but what I wanted to know is since both SharePoint and MySites are on separate Web Applications, will the external user need to authenticate twice, firstly for the SharePoint Site and Secondly for the MySite Employee Profile. (Will the user get 2 ADFS Login Pages?)
Found out that you do need to create a WAP Publishing Rule for Mysites too. Whereas the authentication goes, since both SharePoint and MySites are on separate Web Applications, will the external user need to authenticate twice, firstly for the SharePoint Site and Secondly for the MySite Employee Profile. The answer to that is no, as once the user is authenticated via ADFS, access to both SharePoint Portal and Mysites is granted via SSO.