Windows 10: ADFS page blocking bypassed MFA for select users

Hi Microsoft Support,

Good day! I need help on how to remove the ADFS page blocking my exempted user not to use MFA. The user or mailbox account is already bypassed on the MFA application. Almost all users are using MFA to login to portal.office.com.

Thank in advance!

:)

 

Recommendation: Load balancer for ADFS environment?

We want to put in ADFS for our current network to support about 30K authenticated users, currently to start off just for sharepoint application, but potentially will support other application/ users as well.

Looking for recommendation on whether we should go with virtual or hardware based Load Balancer, and
which vendor of LB that people tend to adopt for their ADFS and WAP servers? Imagine we'll need to get the LB that can support Layer 7

Here is how we are currently spec'ed out so far:

• 2 WAP servers (Win2016) sit behind a LB and all on DMZ
• 2 ADFS servers (Win2016) sit behind another LB and all on Internal network
• DC server is on Internal network as well

----

Can anyone explain how the traffic/federation process goes (step by step) when user access the website from the internet (please include how request is being passed/redirect between webserver, WAP, ADFS, and DC servers)

Thanks!

 

ADFS authentication loop on login page

I deployed a HA ADFS environment with NLB.

There are several URLs can access the ADFS service: https://hostname.domain.local, https://adfs.domain.local, https://nlb-adfs.domain.local.

When I access the ADFS service URL: https://adfs.domain.local, I can authenticate users normally with a signed-in status, but if I try to access the other URLs, the user can't be accessed and will be redirected back to login page again and again.

In the event viewer I can find even id 4672,4623,4634. It seems the user was logged off once it was logged on.

The description of the event id 4634 is

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

How can I get through with it?

Thank you!

 

portal.office.com (Office 365) to ADFS then This page can’t be displayed on IE11

I am using Office 365 with ADFS authentication.

When I go to portal.office.com, and the following is true, I get a This page can’t be displayed error just as the browser tries to authenticate against my ADFS server:

• Using IE or Edge in Windows 10 (IE version: 11.103.10586.0)
  
• Computer joined to my domain
• On the WAN whether or not I'm connected to the VPN

It will work if:

• I'm on my corporate LAN
• There is no problem with Windows 8 in the above setup (IE 11.0.9600.12205)
• If I use Firefox (probably chrome too, haven't bothered to test)

Other notes:

I can properly resolve the external address of my adfs server (otherwise Firefox wouldn't work)

If i replace the server address (adfs.domain.com) with the WAN IP, it will authenticate

My ADFS server along with *.microsoftonline.com and *.office.com is in my Local intranet zone.

Enabling or disabling "Display intranet sites in Compatibility View" does not resolve the issue

From what I can tell, IE cannot resolve the address of my adfs server or refuses to talk to it. I don't know how a browser would not be able to resolve an address because I don't believe it's the job of the browser to do name resolution/interpretation
at any level.

This affects all Windows 10 clients.

Before asking me if I have checked TLS settings, etc in IE please remember: I am able to connect to my adfs server if I use the IP address in IE.

Before asking if my DNS settings are setup properly: Firefox works fine without me entering the IP.

I'm stuck and have no idea what to try next.