First thing’s first…
We have deployed an ADFS 3.0 server farm, DirSync, and Web Application Proxies to enable federation with Office365 and Windows Azure. Everything was working and users were able to logon to the cloud services.
Then I decided to enable Workplace Join – from the ADFS perspective; Device Authentication.
The configuration process went well, no unexplained errors – well, actually no errors at all. I then had my workgroup joined laptop running Windows 8.1 Pro do a Workplace Join. And guess what… That worked too. Within seconds my laptop was joined, and checking Azure AD revealed that my laptop had been registered correctly with my user account. I did not want to wait up to three hours for my DirSync to run, so I forced the synchronization, and then I was able to locate my laptop under Registered Devices in the local Active Directory.
Nice! But, then again, not so nice.
As I was preparing the servers for the ADFS and WAP roles, I figured I’d opt-in on enabling Integrated Authentication. So I had to join the WAP’s to the local Active Directory Domain.
Doing that, caused the login through the federation servers to fail, and the event id 364 was logged on the ADFS servers. At the end of the event logs “Exception Details” first line it said: MSIS5000: Authentication of the device certificate failed.
As it turns out, Extended Protection needs to be disabled on the ADFS Servers because it is unsupported with Integrated Authentication.
Disabling Extended Protection is done by running this powershell command on the primary ADFS Server:
Set-ADFSProperties –ExtendedProtectionTokenCheck None
Now all you have to do is restart the ADFS Service on the ADFS Server (duh!), and in the case you implemented an ADFS Server Farm, restart the service on all farm servers.
Hopefully this resolves the issue for you, as it did for me.