We have SharePoint on-prem using Kerberos and want to enable external users to connect to our system through WAP.
We like to avoid exposing our SharePoint "directly" to the outside network (pass-through) and not connect WAP in the DMZ with our internal AD domain (Kerberos delegation).
What are our remaining options?
Is ADFS capable of passing a Kerberos token? (it's on the internal network side)
Br, Tom
On
The Kerberos protocol is a part of AD. ADFS converts the Kerberos token into a SAML token so you can pass it this way. ADFS provides either a SAML 1.1 or 2.0 token that contains the claims.
The ADFS server turns the Kerberos ticket into a SAML token which gets sent to whoever started the federation flow.
There is a guide for configuring Kerberos with ADFS 2.0 that may be helpful. https://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/118841-configure-kerberos-00.html
This is not possible. ADFS is only capable of doing Kerberos delegation (turning a saml token into a Kerberos token for the backend) if it's part of the domain.