Now that you have setup a Web Application server, and configured your SharePoint site to use Kerberos, we can move on to configuring ADFS and WAP to publish our site. If you have not yet deployed WAP or setup SharePoint to use Kerberos, please refer to the post on how to deploy the WAP using your SharePoint farm.

Configure Relying trust for your SharePoint site on ADFS 3.0

Launch the AD FS Management console using an administrator account.

On the Left pane, Right click on Relying Party Trusts and select Add Non-Claims-Aware Relying Party Trust.

Click Start, and on the next page enter a descriptive name then click next

Enter the URL for your SharePoint site and click add then next

Click Next on the Multi-Factor page as we will not be configuring this.

Click Next on the identifier page. On the final page leave the checkbox checked to launch rules, and click close.

In the Issuance Authorization Rules Window, click Add Rule.

Add a single rule to permit all users and click next/finish

Publish your SharePoint site using Web Application Proxy

Import your SharePoint site certificate into the WEP local certificate store via MMC

Launch the Remote Access management console with administrative credentials

From the Left highlight your WAP server, then select ‘Publish’ from the Right.

Click next on the Welcome page, then select AD FS on the Preauthentication page and click Next

On the Relying Party page, select your SharePoint party and click Next

 

On the Publishing Settings page, fill in the requested information and slect the SharePoint site certificate from the drop down.

For the backend SPN use the one you specified (ie http/portal.domain.com ) then click next

 

Verify the information on the Confirmation page and click Publish

Done!

Now you need to setup your External DNS to point and NAT through your firewall to the WAP server's IP. 

 

One final point to note

When you use Web Application Proxy like this, you MUST have the ADFS Federation Service FQDN in DNS point to the Web Application Proxy server IP, or it this not work. WAP is acting as the face of ADFS.

This can be problematic as you will want to ensure all your ADFS relying entries are configured in WAP as well, and you will also need to consider high availability ramifications if you had this in place for your ADFS farm.

Now, test your setup!

 Note: This is a customized sign-in page for ADFS 3.0, a topic to cover in another post.

Share