Non-browser clients can't sign in after you set up AD FS in a "firewall-published" configuration
The firewall-published configuration uses a firewall device, such as Microsoft Threat Management Gateway (TMG), to reverse proxy the AD FS Federation Service directly to the Internet. For more information about how to configure AD FS in a firewall-published configuration, see the following Microsoft Knowledge Base article:
- You're repeatedly prompted to log on (more than three times) without a successful authentication.
- Access is denied, even though you enter valid Active Directory credentials.
- "403 page not found" errors occur.
- Extended Protection for Authentication (EPA) may not be disabled on the AD FS Federation Server farm.
- Firewall reverse proxy rule features may have been enabled that disrupt normal AD FS connection and functionality.
Extended Protection Authentication (EPA) is a feature that's used by AD FS to detect man-in-the middle attacks. When a firewall is proxying the connection to the AD FS server, EPA may identify the firewall proxy as an attack. For information about how to disable this feature, see the following Microsoft Knowledge Base article:
Note The following information is only advisory and may help resolve the problem, but it's offered without guarantee:
- Firewall proxy rule configuration may be limiting connectivity.
- Three specific firewall rule features will corrupt AD FS server traffic en-route. For the reverse proxy rule allowing access to AD FS from the Internet, disable the following features:
- Link translation: http://technet.microsoft.com/en-us/library/cc995120.aspx
- Verify normalization: http://technet.microsoft.com/en-us/library/cc995081.aspx
- Block high bit characters: http://technet.microsoft.com/en-us/library/cc995081.aspx
Note This step can apply to Forefront Threat Management Gateway (TMG) server. However, be aware that other firewall servers may also support these features.
- To troubleshoot TMG configuration problems, go to the following Microsoft websites:
- Configure Web Publishing Rules for a Single Internal Pool (http://technet.microsoft.com/en-us/library/gg429712.aspx)
- Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8aa01cb0-da96-46d9-a50a-b245e47e6b8b#QuickDetails)
Article ID: 2535789 - Last Review: 12/12/2014 03:59:00 - Revision: 28.0
- o365 o365a o365e o365022013 o365m KB2535789