We are trying to integrate our application so that our customers can access our application using their respective corporate identifiers (Ping Identity or their ADFS server).
The web application is not a requirement, and we are trying to find a solution to combine it without changing the code.
I built an ADFS 3.0 environment with a Windows 2012 R2 server simulating a future scenario after my lab environment:
Our side:
- 1 Active Directory Server (domainB)
- 1 IIS8 web server with our non-compliant applications (integrated Windows authentication supported by Kerberos), domain joined
- 1 ADFS 3.0 server (service provider) connected to the domain
- 1 WAP server connected to the domain
Client side:
- 1 Active Directory (domainA)
- 1 ADFS 3.0 server (identity provider) connected to domain A
Application users:
- DomainB \ user1
- DomainA \ user2
I have completed the following steps to create my lab environment:
- Install and configure ADFS 3.0 on a domain
- Install and configure a WAP server on a domain
- Publish ADFS 3.0 to a WAP server in a domain
- Create a non-application trusting third-party group that points the application to ADFS 3.0 on the domain
- Post invalid WAP notifications to the domain
- Install and configure ADFS 3.0 on domainA
- Trust ADFS 3.0 on a domain with ADFS 3.0 on a domain
- Change claim rules on each federation server.
"domainB \ user1" has no problems accessing the application, the following events occur on my WAP server:
- - Kerberos .
- - HTTP- .
"domainA\user2" , WAP Event Viewer :
: EventID 13019
- - Kerberos - API: .
(0x8007052e).
: EventID 12027
- - .
: .
(0x8007052e).
, Kerberos, B\user1 .
:
, .
.