3 thoughts on “AD FS Extranet Lockout: a case of the unintended pun

  1. Excellent Blog in general. Are there real cases where WAP is not necessary to get AD FS 3.0 working in an web SSO scenario? I recently had a customer that I had to strongly convince that WAP was a requirement, but wondered (because I was remote and not configuring the infrastructure myself) if that was necessarily the case. Thanks in advance.

    1. Often companies feel safer knowing their AD FS is behind some sort of security device, be it a third-party component, the WAP or a combination of the two. In large enterprise environments, I’ve seen SSL connections terminated numerous times before they actually reach the AD FS farm, hitting Edge Load Balancers, Reverse Proxies, DMZ Load Balancers, Web Application Firewalls, Front Load-Balancer, WAP Nodes, Back-End Load Balancer; in a couple of cases all of these :-). The WAP as a component adds value in AD FS terms because it allows us to contextualize authentication.. is the request from inside/outside and can we elicit access decision based on that claim?.. should we allow that decision to be made by a third-party gateway? That’s possible, but that typically lives outside of the claims/authentication context as an arbitrary yes/no decision.

      I’ve seen the argument that you don’t need a WAP and that an AD FS server/farm can be Internet facing, but it’s not something I subscribe to.. IF you have a limited scenario where only internal clients are able to leverage AD FS, then perhaps a WAP is not necessary, on the basis that AD FS is not reachable on the Internet.. it requires a certain amount of belligerence but if someone argues to the contrary, then they need to be a decision-maker, ultimately accountable or otherwise I’d ask for a waiver.. “Give ’em enough rope” as they say…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s