We use a proxy service by zScaler. This has been setup so that there is an ADFS server between us and zScaler that authenticates the users and allows them access to the internet. This has been working all fine and dandy until sometime in the last few months (possibly 6). Normal users are able to authenticate correctly still and receive their internet cookie. Members of Domain Admins however do not. A support call with zScaler has ended with them suggesting we need to contact Microsoft and open a support call with them. Fair enough, but thought I would see if any one here has any thoughts?
We have tried removing a user from domain admins, changing the OU their user account resides in, redeplying the ADFS server from scratch (needed in the end to rule out red herring errors and due to another admin not having comiled stringent documentation). No error is generated when I try and login but the browser goes in to an endless loop trying to authenticate.
The only potential breakthrough we may have had is disabling SAML and setting Forms as the authentication method. With the login prompt then presented we can enter the credentials but the page refreshes and does not process the request. From the server side I can see an Audit Failure (4776) but this seems to refer to LM levels in the domain which do not change per user account.
I am not an expert with ADFS 2.0 by any stretch of the imagination and the only use we have within our company is for the proxy. This means that skills and knowledge are somewhat thin on the ground.
I will leave it at this as my message already seems quite rambling but I would be grateful of some thoughts if anyone has any as this is a bit of a head scratcher.
UPDATE:
Looks like there is something promising in this KB:
https://support.microsoft.com/kb/2896713/en-us#appliesto
Will look to test over the maintenance window at the weekend but fingers crossed.