This post has already been read 10004 times!
Previous Articles in this series
In Part 5 – Providing Context Aware logins I will set up Single Sign on and Single Factor for Internal Use but still require Multi Factor for External Access to the systems from outside of my network. This along with dns records for ug.bretty.me.uk and sts.bretty.me.uk internally and externally should give you a nice experience when logging into my Unified Gateway and SSO internally whilst still asking for 2FA externally.
First open up the ADFS Management Console – and re-open the Multi Factor Authentication Policy
Disable MFA for Intranet Users
The Issue: when logging onto the service internally it does not ask you for a second factor, however it does prompt for credentials even though you are logged into the machine as a valid domain users. This is by no means ideal and not a good user experience.
If we want to look at how we can resolve this we just open up Internet Options
Add the Unified Gateway and the ADFS External domain names to the intranet zone
and set automatic login to this zone.
This is not really viable on each and every machine on the domain so to roll this out I will use Group Policy. You could use another tool here such as AppSense EM or RES but in this case GPO will do me fine.
Create a new Group Policy and open up the following location
Computer Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page
Then open up the Site to Zone Assignment List
Add the EXTERNAL Domain Names for both your Unified Gateway and ADFS Service and set to force them into Zone 1 – The Intranet Zone
Next open up the following
Computer Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page – Intranet Zone
Then open up Logon Options
Enable this and set it to Automatic Login with Current Username and Password
Once created you should have the following settings in GPO
Assign this to your domain machines that will use your Unified Gateway internally and open up an Admin Command Prompt and update Group Policy
If you check the same options on the domain joined machine you can now see they are set correctly
If you now go to your Unified Gateway URL internally it will hand you off to ADFS, Single Sign you onto the service without the need for a second factor and hand you back to the NetScaler. At this point FAS and StoreFront take over and SSO you to your apps and desktops.
Externally of course you will still be prompted for a second factor
Next we will take a look at making it all look good!