Right after the install, every ADFS farm by default has Windows Integrated Authentication explicitly enabled and Forms Based Authentication disabled on the intranet. Below you see a screenshot from ADFS v4.0, and the settings for ADFS v2.x and ADFS v3.0 are similar.
Figure 1: Authentication Methods For The Intranet In ADFS (WIA Enabled And FBA Disabled)
Previously you only had to enable Forms Based Authentication (FBA) for the Intranet in ADFS when you for example used Microsoft CRM Dynamics.
Now with Azure AD playing a very important role in almost every infrastructure, I’m suggesting/recommending to enable FBA by default for the Intranet in ADFS.
Of course you ask: “WHY?”
With Azure AD on the playground you also need FBA for the Intranet in ADFS for the following scenarios:
- Azure AD/MSOnline PowerShell Module
- Azure AD Self-Service Password Reset
Every time you connect to Azure AD using a federated account where a browser based window is opened, FBA will be used. If FBA is not enabled, you will get an error
This problem does not occur if you use a native Azure AD Account, or you use a federated account that is specified in the credentials parameter of the PowerShell CMDlet and is also not enforced for MFA!
Figure 2: Authentication Screen When Using The Azure AD/MSOnline PowerShell Module
Figure 3: Error After Entering Your Federated Account Credentials
Sometimes with Self-Service Password Reset, Azure AD will ask you to reconfirm your password. You may experience this when:
- Navigating to https://myapps.microsoft.com/ with a browser, for which WIA is enabled in ADFS. Logon as you normally do with your corporate desktop/laptop
- Next to your picture, click on “Profile”
- The click on “Set up self service password reset”
- It could be the case, the next screen will say “Confirm you current password”
- Click on “Re-enter my password” and you will be redirected to ADFS and that’s were it will go wrong if FBA is not enabled
In both scenarios you will see the following error in the ADFS Event Log
Figure 4: Error In The ADFS Admin Event Log When FBA (In This Case) Is Not Enabled For The Intranet
Encountered error during federation passive request.
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.ProcessRequestedAuthMethodsV2(IEnumerable`1 requestedAuthMethods, HashSet`1 globalPolicyAuthProviders, String authProvidersInToken, Boolean& validAuthProvidersInToken)
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicyV2(IList`1 mappedRequestedAuthMethods, IList`1 mappedRequestedACRAuthProviders, AccessLocation location, ProtocolContext context, HashSet`1 authProvidersInToken, Boolean isOnWiaEndpoint, Boolean& validAuthProvidersInToken)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomainV2(Boolean& validAuthProvidersInToken)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Therefore: enable FBA for the Intranet in ADFS as soon as you install ADFS. If you want to enabled it later on, make sure first no application is impacted when the “Active Directory” IdP is used.
Figure 5: Authentication Methods For The Intranet In ADFS (WIA Enabled And FBA Enabled)
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########