Application integrated with ADFS prompt for credential every time

Mahesh Aralelemath 386 Reputation points
2020-08-05T08:16:46.047+00:00

Hi,

  1. We have a application hosted in cloud infra and its integrated with ADFS which is available at onprem.
  2. ADFS Proxy Servers are placed at front end and NATed with Public IP
  3. Application when accessed from internal Network is working fine with SSO and not prompting for any additional authentication
  4. Same application when accessed from internet is prompting for authentication every time with ADFS page
  5. Office 365 and Teams which are also integrated with ADFS are not having any issue they are working fine with SSO when accessed from internal network of internet.

Appreciate if any thought around this to fix this behavior.

Regards
Mahesh

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,240 questions
0 comments
Accepted answer
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2020-08-05T12:07:13.027+00:00

    When the user is accessing the ADFS authentication function through a Web Application Proxy (i.e. the ADFS Proxy), it applies a different authentication policy. The default extranet password policy is Form Based Authentication. And the SSO cookie that ADFS delivers (regardless of where you connect from Intranet or Extranet) is a session cookie (it will die once you have closed your browser).

    It works when you are connected internally because even if you don't have a SSO cookie, you will have SSO because of Kerberos/NTLM. So you might get a new cookie without knowing.
    It works with Azure AD for other reasons. You might have already gotten a token or have a PRT (on a Windows 10 machine which is Hybrid Azure AD Joined)>

    To have less prompts externally you could:

    1. Create your trust directly in Azure AD as an Enterprise Application. Even if your app is on-premises.
    2. Change the default authentication policy for extranet logon. This is not give you SSO, but you could opt for certificate based authentication, or Azure MFA as a first sign-in method (as opposed as Azure MFA as a secondary method kicking in after a password based authentication). This will not reduce the prompts, but change their nature. If the user just have to click on a certificate prompt or accept a notification on his/her phone, it might be less "disruptive".
    3. You can enable the Keep Me Sign-In feature. This make the SSO cookie a file/permanent cookie. This is described here. You can configure how long the cookie is valid for. There is a risk as if the user is using a shared computer, and if it doesn't clear the cookies, the next user will be taking over his/her session.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mahesh Aralelemath 386 Reputation points
    2020-08-07T07:00:00.243+00:00

    Hi Pierre Audonnet,

    Thanks a lot for your response. I completely agree with you on the behavior of ADFS when application/URL is accessed from internet and authentication is passed through ADFS Proxy.

    Specific to our case, would like to share more details as below.

    1. We have an Always On VPN-Device tunnel for Windows10 devices
    2. Users are logging in with AD credentials and getting authenticated from AD Servers over AOVPN tunnel
    3. Internal ADFS Server is directly accessible over AOVPN tunnel.
    4. Specific application which i am referring is one of the Portal which is accessible over internet also.
    5. When user is accessing from Windows10 Laptop- AOVPN tunnel is connected and have accessibility to ADFS Server. Was thinking why this is still not taking token from ADFS directly rather than going through ADFS Proxy.

    Now i have 2 queries.

    1. If we need to Publish this through Azure AD Enterprise Application, how can we do this since its only organization specific URL. There is no WebApp or Mobile App.
    2. Assume that if its possible to publish through Azure AD then will it not prompt for credentials when accessed from Hybrid Azure AD joined Windows 10 and Azure AD registered(Intune MAM) mobile as well?

    Appreciate if you can provide details on this.

    Regards
    Mahesh

  2. Mahesh Aralelemath 386 Reputation points
    2020-08-08T18:04:01.733+00:00

    Thank you for response again.
    I was just looking for some article/references to integrate URL with Azure AD.

    Ex: URL is https://empbenifit.companyname.com

    Regards
    Mahesh

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.