ADFS - Windows integrated OR Forms authentication

Question

I'm configuring an ADFS Server and are trying to achieve user-friendly sign-on for our relying party applications.

Currently there are two relevant options as far as I know:

• Windows authentication: this works great as a single-sign-on provider, but provides a user-unfriendly pop-up if the user is not currently in the correct windows domain.
• Forms Authentication: this will always ask for a login method regardless of where the user is coming from.

My question here is, is it possible to satsify these requirements:

• If the user is logged in with the windows account, provide SSO
• Otherwise, display the forms login page and let the user enter his windows credentials.

Answer 1

Generically speaking, there is no programatic way of detecting if the user is on the domain or not from a website. Because the moment your site is configured with Windows Auth (and disable Anonymous), an ntlm challenge is sent to the browser and the credentials prompt popup if you are not in the domain.

https://serverfault.com/questions/380302/can-i-detect-authenticated-domain-users-in-iis-asp-net-without-prompting-every

The way you achieve that is with DNS and that's what ADFS recommends by introducing the proxy role. You will have the internal DNS resolving login.yourcompany.com to the internal ADFS which has windows auth enabled and the external DNS resolving login.yourcompany.com to the proxy ADFS role which has forms auth enabled. So you need another server hosted on the DMZ so users outside the network/domain can reach it.

There is no way to do this with a single ADFS server unless you do some hack (i.e. not supported) having an artificial website on the same ADFS server bound to the external IP and that website has a redirect to "/adfs/ls/forms"

More info about proxy and its setup http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx

Matias