Internet-based client computers can't authenticate after you set up Active Directory Federation Services (AD FS) in a "firewall-published" configuration

When you try to set up Active Directory Federation Services (AD FS) in a "firewall-published" configuration, Internet-based client computers can't authenticate by using a federated user account. However, a client computer that resides on the on-premises network can successfully authenticate to Office 365 resources by using a federated user account.

The firewall-published configuration uses a firewall device, such as Microsoft Threat Management Gateway (TMG), to reverse proxy the AD FS Federation Service directly to the Internet. For more information about how to configure AD FS in a firewall-published configuration, click the following article number to view the Microsoft Knowledge Base article: Additionally, when the Internet-based client computer tries to authenticate to the on-premises AD FS Federation service endpoint name, such as https://sts.contoso.com/adfs/ls/, one or more of the following issues occurs:

• You're repeatedly prompted to log on (more than three times) without a successful authentication.
• Access is denied, even though you enter valid Active Directory credentials.
• "403 page not found" errors occur.

This issue occurs when the service requirements for publishing AD FS through a firewall limit a client device�s HTTP access to the AD FS Federation service. In this case, one or more of the following conditions are true:

• Extended Protection for Authentication (EPA) may not be disabled on the AD FS Federation Server farm.
• Firewall reverse proxy rule features may have been enabled that disrupt normal AD FS connection and functionality.

Disable Extended Protection Authentication for AD FS

Extended Protection Authentication (EPA) is a feature that's used by AD FS to detect man-in-the middle attacks. When a firewall is proxying the connection to the AD FS server, EPA may identify the firewall proxy as an attack. For information about how to disable this feature, see the following Microsoft Knowledge Base article: Firewall proxy rule configuration may be limiting connectivity

Note The following information is only advisory and may help resolve the problem, but it's offered without guarantee:

• Firewall proxy rule configuration may be limiting connectivity.
• Three specific firewall rule features will corrupt AD FS server traffic en-route. For the reverse proxy rule allowing access to AD FS from the Internet, disable the following features:
  • Link translation: http://technet.microsoft.com/en-us/library/cc995120.aspx
  • Verify normalization: http://technet.microsoft.com/en-us/library/cc995081.aspx
  • Block high bit characters: http://technet.microsoft.com/en-us/library/cc995081.aspx
  
  Note This step can apply to Forefront Threat Management Gateway (TMG) server. However, be aware that other firewall servers may also support these features.
  
• To troubleshoot TMG configuration problems, go to the following Microsoft websites:
  • Configure Web Publishing Rules for a Single Internal Pool (http://technet.microsoft.com/en-us/library/gg429712.aspx)
  • Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8aa01cb0-da96-46d9-a50a-b245e47e6b8b#QuickDetails)

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.