At this point the WAP will attempt numerous connections to the /adfs/Proxy/GetConfiguration URL with a query string of api-version=2 as seen in the screenshot below. It will receive a 401 back because Fiddler needs a copy of the client certificate to provide to the AD FS server. At this point I let it time out and eventually the setup finished.
3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 or newer devices. Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. On ADFS only usernamemixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy.
ADFS Deep-Dive
In an ADFS environment, direct line of sight to the domain controller isn't required to renew the PRT. PRT renewal requires only /adfs/services/trust/2005/usernamemixed and/adfs/services/trust/13/usernamemixed endpoints enabled on proxy by using WS-Trust protocol.
Active Directory Federation Services (AD FS) Protocols Overview -us/openspecs/windows_protocols/ms-adfsod/a11c94b0-3952-412c-8a93-d2412dd063e1Identity management _managementSecurity Assertion Markup Language (SAML) _Assertion_Markup_LanguageSAML 2.0 _2.0SAML 2.0 Web browser SSO profile _2.0#Web_browser_SSO_profileWS-Trust -TrustWeb Services Federation Language (WS-Federation) -open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.htmlOASIS -open.org/ _(organization)AD FS OpenID Connect/OAuth Concepts -us/windows-server/identity/ad-fs/development/ad-fs-openid-connect-oauth-conceptsAD FS OpenID Connect/OAuth flows and Application Scenarios -us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenariosADFS Deep-Dive: Comparing WS-Fed, SAML, and OAuth -infrastructure-and-security/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/ba-p/257584 2ff7e9595c
Comments