SharePoint 2013 and ADFS 2.0 Lab Environment

In our organization we are responsible for the SharePoint Farm, but other teams are responsible for maintaining infrastructure components such as Active Directory, ADFS, and Windows Certificate Services/External CA Certificates.  Since this was our first attempt at using ADFS we wanted to setup a standalone lab environment that included all of the components so we had a good understanding of what it would take to implement and support an end to end configuration.

Lab Environment

  • Domain: 2008r2.local (All machines joined to this domain)
  • Domain Controller: DC1 (Windows 2008 R2)
  • ADFS 2.0 Server: DC1 (co-hosted with the domain controller)
  • SQL Server: SQL1 (Windows 2008 R2/SQL 2012 Enterprise)
  • SharePoint Application Server: SP-APP-1 (Windows 2008 R2/SharePoint 2013)
  • SharePoint Web Front End Server: SP-WFE-1 (Windows 2008 R2/SharePoint 2013)


Authentication Process Flow

The above image and steps below illustrate the authentication process with SharePoint functioning as the “Relying Party” and ADFS as the “Identity Provider”.

  1. User browses to the site (https://portal.2008r2.local )
  2. SharePoint receives the request and if more than one authentication provider is configured will present the user with a pick list (i.e. “Windows Authentication” and “ADFS20”).  If the user selects the ADFS provider then SharePoint will redirect the client to https://logon.2008r2.local/adfs/ls
  3. ADFS receives the request and a login form is provided to the user.
  4. ADFS authenticates the user with the appropriate identity provider (Active Directory)
  5. ADFS creates the logon token
  6. ADFS responds to the client with a token and the WS-Federation passive protocol URL for SharePoint
  7. The authenticated client presents token to WS-Federation passive protocol URL for SharePoint
Tagged with: ,
Posted in ADFS, SAML Claims, SharePoint 2013
2 comments on “SharePoint 2013 and ADFS 2.0 Lab Environment
  1. Az says:

    I can not get the ADFS authentication working for Sharepoint. ADFS authenticates by itself. Sharepoint works with Windows authentication. But trying to get external user to authenticate using ADFS is not working. I am using ADFS proxy in a corporate DMZ. What other ports must be opened for this to work? 80, 443 and some others. I hit Sharepoint from external, redirect to ADFS authenticate, then I get an error after authentication. Error There was a problem accessing the site. Try to browse to the site again.
    Now I know the site works as Windows auth works. Trusted Identity provider was set up twice to ensure it was correct.
    Does this sound like something is being blocked at the firewall level?

  2. Russell says:

    I have adfs configured and a claims user is able to login, but The claims based users can not use search. If the claims user is a Site Admim Search works.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: