I’ve used the URL of but you can choose anything you want. Again Group Policy, or SCCM, will be your friend here. Single sign-on should then just work for browser based authentication but for some apps, such as PowerShell, you may also need to install the Microsoft Online Services Sign-in Assistant. You’ll also want to add your ADFS URL () to the local intranet zone in IE. You’ll probably want to setup a proxy exception. Then, just as for the external user, the ADFS server will offload to the Azure MFA Auth Provider to prompt the user to authenticate using their 2nd factor. As the user is internal will have already authenticated against AD (assuming their machine is on the domain) then the first part of the authentication process against AD will happen transparently as single sign-on. That should resolve and take them straight to the ADFS server protected by a valid SSL certificate. Usually this will be a query to the AD server. Usually this will be a smartphone app notification from the Microsoft Authenticator app or an SMS message with a code. Finally the ADFS server offloads to the Azure MFA Auth Provider to prompt the user to authenticate using their 2nd factor. The ADFS server then offloads the request to AD to authenticate the user with their username/password. The user will enter their credentials and the proxy will pass the details to the ADFS server. That should take them to the ADFS proxy protected by a valid SSL certificate. Split brain DNS so that when an external user contacts they hit the ADFS proxy whereas an internal user will hit the ADFS server directly. An SSL certificate to secure traffic to the ADFS proxy and to the ADFS server itself. That’s the simplistic view of what we’ll be achieving but in reality things are a little more complex, due to DNS and SSL cert considerations, which makes the real picture a bit more like this: Steps 1-3 have been around for years with ADFS but step 4, the ability to offload MFA to the cloud, is new to ADFS 3.0 on Windows Server 2016. 
It will then offload to the cloud based MFA Auth Provider for the 2nd factor of authentication.
The ADFS server will offload username/password authentication to the local AD server (this is the 1st factor of authentication). 
The login request will then be passed through to the ADFS server itself. An external user will hit an ADFS proxy server sitting in the DMZ to provide an extra layer of security as middleman between the outside world and the ADFS server itself. Very quick post to set the scene of the ADFS environment I’ll be building up – nothing fancy just standard ADFS. This post is part of a series, for the series contents see: Azure MFA
0 kommentar(er)
