ADFS Deep-Dive
LINK - https://fancli.com/2sV5zc
At this point the WAP will attempt numerous connections to the /adfs/Proxy/GetConfiguration URL with a query string of api-version=2 as seen in the screenshot below. It will receive a 401 back because Fiddler needs a copy of the client certificate to provide to the AD FS server. At this point I let it time out and eventually the setup finished.
3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 or newer devices. Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. On ADFS only usernamemixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy.
In an ADFS environment, direct line of sight to the domain controller isn't required to renew the PRT. PRT renewal requires only /adfs/services/trust/2005/usernamemixed and/adfs/services/trust/13/usernamemixed endpoints enabled on proxy by using WS-Trust protocol.
Active Directory Federation Services (AD FS) Protocols Overview -us/openspecs/windows_protocols/ms-adfsod/a11c94b0-3952-412c-8a93-d2412dd063e1Identity management _managementSecurity Assertion Markup Language (SAML) _Assertion_Markup_LanguageSAML 2.0 _2.0SAML 2.0 Web browser SSO profile _2.0#Web_browser_SSO_profileWS-Trust -TrustWeb Services Federation Language (WS-Federation) -open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.htmlOASIS -open.org/ _(organization)AD FS OpenID Connect/OAuth Concepts -us/windows-server/identity/ad-fs/development/ad-fs-openid-connect-oauth-conceptsAD FS OpenID Connect/OAuth flows and Application Scenarios -us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenariosADFS Deep-Dive: Comparing WS-Fed, SAML, and OAuth -infrastructure-and-security/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/ba-p/257584 2b1af7f3a8