Windows 10: Conditional access in on-prem/ADFS enviroment for windows login

Hi!I've been searching for conditional access for the windows login. Could not find anything relevant to my case so far.AD FS relying party trust/access controll policies seems to be controlling access to applications, but I need to control windows logins.GPO require smart card or login but can't set a condition here.AAD access control seems same as AD FS controll access to applications but not to whether ask MFA for windows login.Is it possible to set up a conditional access where users outside of corporate network would have to use MFA yubikey smart card PIV to log into their windows accou

:)

 

ADFS Same FQDN and Service Name

We have on prem ADFS server and we are thinking to deploy WAP in on prem environment for external users to access our O365 services.

While ADFS server deployment we kept FQDN and Federation service name same.

So i wanna confirm that for WAP deployment is it necessary to have different FQDN and service name?

Or for publishing current ADFS server is it necessary to have different FQDN and service name?

 

ADFS SAML setup

Hello,

I have questions regarding ADFS SAML configuration.

I have been charged with setting up ADFS SAML and connecting our system with clarity safetyzone.

I am using Using windows serv 2019 platform for the servers. I have created a test environment that has a domain controller, server with ADCS, and another server with ADFS. I have a certificate created within the ADCS server and I installed ADFS on the
respective server. I verified after installation of the role and configuring an adfs administrator that the adfs administrator can sign into the https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx, I created a windows test account and logged into the
adfs server for testing purposes and when navigating to the https://sts.contoso.com/adfs/ls/ and attempting to sign in with that user, I get an error:

An error occurred
An error occurred. Contact your administrator for more information.
Error details
Activity ID: f68cc99a-b6e5-40dc-1a00-0080000000e5Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.Node name: 85253664-435b-4d04-8775-d4b96854cb12Error time: Mon, 02 Nov 2020 20:11:16 GMTCookie:
enabledUser agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

I have everyone permitted for intranet access in the Access Control Policies.
Am i missing something? Once i can verify that a standard user can login, then i can move on to the step of setting up the appropriate claims/trusts.

Does anyone have experience with this and maybe even experience with the Clarity Safety Zone platform?

 

ADFS authentication loop on login page

I deployed a HA ADFS environment with NLB.

There are several URLs can access the ADFS service: https://hostname.domain.local, https://adfs.domain.local, https://nlb-adfs.domain.local.

When I access the ADFS service URL: https://adfs.domain.local, I can authenticate users normally with a signed-in status, but if I try to access the other URLs, the user can't be accessed and will be redirected back to login page again and again.

In the event viewer I can find even id 4672,4623,4634. It seems the user was logged off once it was logged on.

The description of the event id 4634 is

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

How can I get through with it?

Thank you!