Forum Discussion
I need a guide for SP2016 on prem setting up WAP and ADFS
We're using Windows Auth with NTLM (not Kerberos).
I didn't think SAML was available on 2016. It's also my understanding that 2016 is claims based authentication only. But, whatever... We also saw an article that lead us to believe that we may have to set up SP2016 with Trusted Identity provider. I did this in the past with a 3rd party provider and hope to not have to do it with WAP.
Questions we ran into:
1) From the WAP side, do we provide access via passthrough or ADFS pre-authenticated?
2) I've seen articles showing that you have your LAN intranet access (inet.company.com). And when you WAP your external access, you have to have a different subdomain (enet.company.com) via alternate access mappings. Is this the case? Can't my external portal be the same subdomain as internal (provided that the DNS entries are correct)?
| It's a simple process...
I'll let the team now. ;) We've been sort of banging our heads against the wall here.
- SAML is a form of Claims, and yes it is available but comes with some UX issues (namely the People Picker will resolve any value you put into it, though that's solved by solutions like http://ldapcp.com/).
Anyhow, you still must join WAP to the domain, configure Kerberos on the SharePoint Web Application and implement KCD between WAP and the SharePoint service account(s). That's outlined on a post I created years ago at https://thesharepointfarm.com/2014/02/sharepoint-and-the-web-application-proxy-role/.
As for authentication, it will be ADFS Pre-Auth.
For URLs, no you don't have to have a different URL as long as the FQDN is resolvable from the outside world (which would point to the IP for WAP).