This article assumes you already have an ADFS 3.0 server and a SharePoint 2010 server setup.
I will cover the addition of a new Web Application Proxy (WAP) server and its configuration. In another post, I’ll show the publishing of a SharePoint 2010 site from your SharePoint farm via Web Application Proxy.
Setup a new Web Application Proxy server
- Install Windows 2012R2 standard on a new server or Virtual machine
- Set static IP
- Add to domain as name Proxy
- Add Web Application proxy role by selecting ‘Remote Access’ role
- Using Certificates MMC import the Certificate used from your ADFS server’s federation service
Configure the Web Application Proxy by running the Wizard from the Server manager notification after install completes.
Click next on the Welcome Screen.
Fill in the URL of your ADFS Federation Service, and enter in ADFS administrative credentials and click next.
From the pull down menu, select the ADFS certificate you imported earlier (I am using a wildcard certificate).
Click Configure on the Confirmation page.
Prepare SharePoint 2010
To Publish SharePoint 2010 through WAP via ADFS you will need to ensure you are using Kerberos for your SharePoint site.
If you are not, you will need to modify it or extend and create a site, AAM etc
How to configure your SharePoint site to use Kerberos
To modify your site to use Kerberos if it is not already, do the following:
Set the Service Principal names for your Application pool Identity (service account) that runs your site; for the site FQDN, and for the Server name.
- setspn –S http/servername domain\apppoolidentity
- setspn –S http/portal.domain.com domain\apppoolidentity
-S will verify there are no duplicates before it applies it, otherwise you could use –A
Note: You must type these commands out in the command prompt – setspn does not like copy/paste of commands
Note: You use HTTP/ for either HTTP or HTTPS sites as this refers to the service not the protocol.
Run SetSPN –L domain\apppoolidentity to verify both entries are there and correct.
Go to the SharePoint server computer object in Active Directory and under the Delegations tab.
- Select ‘Use an authentication protocol’
- Click ‘add’ to add your domain\ApppoolIdentity account then select the two service types listed.
Login to Central Administration on your SharePoint site
Under Application Management, select Manage web applications
Highlight the site for which you are enabling Kerberos, and select Authentication Providers from the Ribbon
Select the Default Zone when prompted, and scroll down to IIS Authentication settings section.
Change your Integrated Authentication from NTLM to Negotiate (Kerberos)
Don’t worry, IIS will fall back to NTLM if it cannot negotiate.
Click save at the bottom and wait a minute or so.
Try hitting your site now, via the FQDN – it should function as normal.
Note: You can test hitting the site by servername as well, but this may fail if if you have other HTTPS sites on the same server and/or if you have not configured AAM for this – that is expected.
You are now ready to Configure ADFS and Publish the site in WAP!