This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I have the following configuration (On Prem only)
ForestA (Windows 2016 FFL). This Domain has an ADFS farm with a WAP (all in 2016)
ForestB (Windows 2016 FFL), This Domain has a Web server (IIS 2016) and configured with Windows Authentication.
There is an internal CA in forestA that is added into the NTAuthCA of both Forests
There is a 2-way trust between ForestA and ForestB (Forest-Wide Auth.)
I have a client that is a stand alone (not member of any domain) and has a client certificate issued by the internal CA in ForestA. Does this client should be able to access the Web server in ForestB through the ADFS/WAP using Certificate Authentication ?
ADFS is configured with Certificate Authentication (external and Internal).
I have added a claim rule to map the user principal name with the UPN
WAP is publishing the web site using Preauth ADFS (Web and MSOFBA). It has to be this because the WAP in pass-through cannot forward the client certificate to the web site.
Even after this, when i try to connect using Certificate Auth. i receive a IIS error 500. From the network traces on the WAP, i can see the Kerberos error KDC_ERR_POLICY.
This should point to a Constrained delegation between domains which is not supported but i have configured using Resource-based constrained delegation...
Am i missing something ?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Since the issue is more related to the ADFS, i left the adfs tag for you to get more professional advices.
Best Regards,
My understanding is that WAP always terminates the TLS tunnel and as such a CBA authentication cannot take place through a WAP publication.
You could convert the application to Kerberos and then do a CBA between the clients and WAP and do RBCD with the backend service.
Thanks @Pierre Audonnet - MSFT i do have the same understanding of the WAP and actually, it makes sense
By the way, i do have the same issue if i configure using Forms Authentication. So it's not an issue with the Certificate authentication but more related to a double hop authentication between 2 domains.
I will try to configure the RBCD with the IIS server and we will see ;)
Thanks!