Our current environment contains two Server 2012 Domain Controllers running AD FS 2.0. We are using TMG, installed in our perimeter network, to load balance the servers in a server farm and make the connection with Office 365. This has been working great for almost a year now. The decision was made recently to upgrade the domain controllers to Server 2012 R2 (with AD FS 3.0). We have replaced one of the servers and have AD FS 3.0 installed on it and configured. It is working okay to connect our internal users to Office 365. The problem is in getting TMG reconfigured to work with AD FS 3.0. The problem appears to be that with the current version we configured IIS to allow us to use Windows Authentication when connect externally to Office 365. AD FS 3.0 does not use IIS and it's Authentication Policy for the extranet does not permit Windows Authentication.
Is there anyone who has run into this same scenario and found a way to configure TMG to work correctly? We know that we could set up a Windows Application Proxy to handle this, but we would prefer not to have to set up an additional server in our perimeter network, if possible.
