Article ID: 2535789 - View products that this article applies to.
When you try to set up Active Directory Federation Services (AD FS) in a "firewall-published" configuration, non-browser clients can't authenticate by using a federated user account. However, a client computer that resides on the on-premises network can successfully authenticate to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune by using a federated user account.
The firewall-published configuration uses a firewall device, such as Microsoft Threat Management Gateway (TMG), to reverse proxy the AD FS Federation Service directly to the Internet. For more information about how to configure AD FS in a firewall-published configuration, see the following Microsoft Knowledge Base article:
2510193Additionally, when the non-browser client tries to authenticate to the on-premises AD FS Federation service endpoint name, such as https://sts.contoso.com/adfs/ls/, one or more of the following issues occurs:
(http://support.microsoft.com/kb/2510193)Supported scenarios for using AD FS to set up single sign-on in Office 365, Azure, or Intune
This issue occurs when the service requirements for publishing AD FS through a firewall limit a client device’s HTTP access to the AD FS Federation service. In this case, one or more of the following conditions are true:
Disable Extended Protection Authentication for AD FS
Extended Protection Authentication (EPA) is a feature that's used by AD FS to detect man-in-the middle attacks. When a firewall is proxying the connection to the AD FS server, EPA may identify the firewall proxy as an attack. For information about how to disable this feature, see the following Microsoft Knowledge Base article:
2461628Firewall proxy rule configuration may be limiting connectivity
(http://support.microsoft.com/kb/2461628)A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Intune
Note The following information is only advisory and may help resolve the problem, but it's offered without guarantee:
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2535789 - Last Review: December 12, 2014 - Revision: 28.0