sharepoint multiple authentication providers

Hi all,

 

We have setup Sharepoint with multiple authentication mechanisms: Windows authentication and ADFS authentication.

 

When connecting to Sharepoint, a dropdown list is shown where you can select whether you want to use Windows authentication or ADFS authentication.

 

1. When choosing Windows authentication, a Kerberos ticket will be obtained and you will be logged on to Sharepoint with the Kerberos ticket.
2. When choosing ADFS authentication, you are redirected to the ADFS login page, a claims based token will be obtained and you will be logged on to Sharepoint with the ADFS token.

This works like a charm, when in our internal network.

 

Now, we want to have the same on the internet. If we just ‘reverse proxy’ the Sharepoint site, this also works just fine: a user is prompted to choose which authentication method he wants to use and when selecting Windows authentication, the user will receive a popup to login via NTLM. When choosing ADFS, a token will be obtained.

 

What we now want, is to omit the dropdown list where to choose the authentication method, which would be as follows with the BigIP:

 

1. BigIP shows a logon page and a user logs on with his e-mailaddress and password.
2. When the e-mailaddress is an internal one ((at)ourcompanydomain.com), Windows authentication should be chosen and the BigIP should obtain a Kerberos ticket via Kerberos Constrained Delegation, using the credentials entered in the BigIP logon page.
3. When the e-mailaddress is not an internal one, ADFS authentication should be chosen and Sharepoint will redirect to the ADFS logon page, which the BigIP will detect via forms detection and will enter the users’ credentials entered in the BigIP logon page. The obtained token will be sent to the client and it will be used for authentication in Sharepoint.

When Sharepoint is only set to use Windows authentication, option 2 works just fine with Kerberos Constrained Delegation (logging on with UPN in the BigIP logon page).

 

When Sharepoint is only set to use ADFS authentication, option 3 works just fine with forms detection.

 

The question now is, can we have Sharepoint show the dropdown list and have F5 decide (based on e-mailaddress) which option to choose and then follow the required authentication path for the selected authentication method?

 

The flow would be something like this:

 

1. Logon page
2. Extract domain from e-mailaddress (variable assign?)

If e-mailaddress from our company domain:

 

1. Obtain UPN via AD query
2. Preauthenticate users
3. Send request to Sharepoint
4. Sharepoint sends selection form
5. BigIP chooses Windows authentication (forms detection?)
6. Using the UPN a Kerberos ticket is obtained via KCD
7. User is logged on to Sharepoint with Kerberos ticket

If e-mailaddress not from our company domain:

 

1. Send request to Sharepoint
2. Sharepoint sends selection form
3. BigIP chooses ADFS authentication (forms detection?)
4. Sharepoint redirects to ADFS
5. BigIP fills in e-mailaddress and password in ADFS (via forms detection)
6. A token is obtained from ADFS
7. User is logged on to Sharepoint with ADFS token

Will this work? In the flow above, I guess I would need to choose Kerberos SSO as SSO method in APM, but it would not apply to ADFS users.

 

Can someone point me in the right direction?