Calling all Windows Experts :). After a long time of testing, i was able to get ADFS4.0 working with a thirdparty application. I can successfully navigate to thirdparty application, click login and get redirected to my adfs federation domain and be prompted for login, login without issues, then be logged into thirdparty site.
I went through various different articles regarding ADFS integrating with IWA and no matter what configurations I have made, I continue to get asked for a login which I do not want.
Brief walkthrough of my current setup. Note, they are not the real names but i thought i would make it easier naming them as to give you an idea as to how my settings are currently. ADCS Server that just hosts a Cert. adcs.dctestdomain.local Domain Controller that hosts a test domain dc.dctestdomain.local ADFS server = adfs.dctestdomain.local. Federation server farm is adfs.publicdomain.com
I have followed the following:
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
host/adfs.publicdomain.com dctestdomain.local\SSOTest
spn = http/adfs.publicdomain.com dctestdomain.local\SSOTest
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-iwa
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
`Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "MSIE 11.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0")`
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
Made the appropriate changes in the adfs server and the VM that is testing the adfs logins
Other things I have done:
nslookup -debug adfs.publicdomain.com shows that there is an A record and not a cname
(Get-AdfsProperties).WiaEvaluationMethod returns: WiaUserAgentDetection
`Get-ADObject -LDAPFilter "(|(ServicePrincipalName=http/adfs.publicdomain.com(servicePrincipalName=host/adfs.publicdomain.com )"`
Value shown is somewhere along these lines:
`CN=SSOTest,CN=Managed Service Accounts,DC=omitted,DC=omitted SSOTest msDS- GroupManagedServiceAccount`
`Set-AdfsProperties -ExtendedProtectionTokenCheck None`
Set the fqdn farm in the intranet zones, selected automatic logon with username and password(also tried intranet only) neither work set Automatically detect intranet network
Set the public domain name in the trusted internet zones and set the same settings for testing purposes. There is no load balancer
Everytime I get redirected from the 3rd Party site, I still have to log in to ADFS. Does anyone know what the problem may be? For security reasons, I did not provide real domains or account names but I think I have provided the best possible info. If you need more, please let me know. Any help would be greatly appreciated.