Share via

AD FS authentication | Configure primary and fallback methods

Zahid Iqbal (DE) 1 Reputation point
2022-05-31T10:55:49.677+00:00

I would have a question regarding configuring AD FS authentication methods.

Is it possible to configure
(1) only certificate based authentication (CBA) as primary auth method for the users and if there is no (valid) certificate or it fails then
(2) fallback to forms authentication (username+password).

At the end the end user should only see forms authentication if no certificate was found.
Is this even possible? If yes, how to do this? Any useful Powershell commands?

Both methods in combination are working fine but not in fallback mode.

Please note that we have only AD FS - means no Azure AD CBA -> only ADFS CBA

Microsoft Security Active Directory Federation Services
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-06-08T01:22:51.783+00:00

    You can enable both authentication methods and have the users pick one. You cannot configure a fall back natively.

    Starting Windows Server AD FS 2016 and the alternate host name binding for certificate authentication you could create some sort of JavaScript which redirect the user to the form. But that would be highly custom and the effectiveness would depend of the type of browser and other racing circumstances which are hard to anticipate (like what if the user is picking a cert but the wrong one etc...).

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.