This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 4%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEP%3C/text%3E%3C/svg%3E)
We're having a weird issue. I've configured my AD FS WAP for use with Office 365. I use split DNS with internal DNS pointing to the AD FS server and external DNS pointing to the AD FS WAP which is on a DMZ domain in my DMZ. The Office 365 RCA says it's configured correctly.
I can use a browser and authenticate corrected (via portal.office.com, which redirects to adfs.mydomain.com). This only works from inside my network.
Externally, I get the adfs.mydomain.com login page and when I enter my password, the page reloads. If I enter an incorrect password, I get the error that the password was incorrect. I get the same behavior from Office Applications (like Excel) when I attempt to register them.
Initially I got the same odd behavior internally when I used any browser besides IE. I resolved this by setting the WIASupportedUserAgents to allow Chrome and Firefox. Now I have that same behavior externally from any browser. This feels like I need to modify the external Agent string, but I'm not sure which command to use as get-adfs* doesn't work in powershell on the WAP.
Please help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 24%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E9%3C/text%3E%3C/svg%3E)
Which IP address get you if you run nslookup adfs.domain.com on your WAP, internal oder external?
Which operatation system you use for AD FS and WAP servers? Especially for Windows Server 2012(R2) with AD FS 3.0 it exist some updates, which must be installed.
Did you check the claim rule and their access control already?
Double check your current AD FS configuration for Office 365 with follow blog articles:
https://simpleitpro.com/index.php/2018/08/24/step-by-step-o365-configuration-for-single-sign-on-with-adfs-2016-2/
http://www.thatlazyadmin.com/configure-adfs-office-365/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEP%3C/text%3E%3C/svg%3E)
Thank you for your reply.
The WAP returns the internal address for AD FS. (We have a forwarder for our DMZ domain DNS server that points to our internal domain DNS server for the .mydomain.com zone)
I am using Windows server 2012R@ for both AD FS and WAP.
I am not sure what you mean by "check the claim rule and their access control". Please explain.
I'd suspect that you use custom certificates (as opposed as the default self-signed) and that the Token Encrypting certificate you use in your ADFS deployment does not have the proper KeySpec. If the KeySpec is not set to 1 (AT_KEYEXCHANGE), you can't use Form Based Authentication as ADFS can't encrypt stuff. This will fail because ADFS used that certificate in the process. It will just loop. This certificate is not used when you use Windows Integrated Authentication. Hence you don't have the problem internally. And you fixed the internal clients using Form Based Authentication thanks to WIASupportedUserAgents.
Anyhow, run the following PowerShell cmdLets on your primary ADFS server to determine the KeySpec of your Token Decrypting cert:
$cert = (Get-AdfsCertificate -CertificateType Token-Decrypting).Thumbprint
certutil -v -store My $cert | Where-Object {$_ -like "*KeySpec*"}
If the output is not:
KeySpec = 1 -- AT_KEYEXCHANGE
Then we found our problem. And we can fix it by re-importing the certificate. You would delete from the store (you can use the MMC) and re-import it with specifying the KeySpec like:
certutil -importpfx Token-Decrypting.pfx AT_KEYEXCHANGE
Let us know! 🤞
Any updates?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 77%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
It’s odd - we’re having the same issue. At least for us the key spec shows correctly
And do you see an event 4624 in the Security logs of your ADFS servers for the successful attempts?
We resolved our issue - it was caused by restrictions on allowed Kerberos encryption types set by local security policy on the ADFS server via "Network security: Configure encryption types allowed for Kerberos".
If I remember we were seeing both event 4624 coupled with event 4625 and system log showed Kerberos errors related to unsupported encryption type.
Are you sure it was the same problem though? Didn't you have an error message telling you the password was wrong regardless of the password (good or bad) you provided?
In EJPennymanIII-3230's case, there is an error message when you provide a bad password but there is no error message when you provided the right password. Just looping to the FBA page.