ADFS 3.0 on Windows Server 2012 R2 – Behavior Change for Non-Internet Explorer Browsers


(Pratyusha Vemuri) #1

Active Directory Federation Services (ADFS) 3.0 is built into Windows Server 2012 R2. In this environment, non-Internet Explorer browsers, like Google Chrome and Mozilla Firefox default to forms-based authentication, breaking single sign-on (SSO) authentication.

Following are the steps to change the authentication mechanism from forms-based to Integrated Windows Authentication (IWA).

  1. Log in to your primary ADFS server.

  2. Execute the following command to disable Extended Protection TokenCheck.
    Set-ADFSProperties ExtendedProtectionTokenCheck None

  1. Execute the following command to get the current list of supported user-agents for NTLM authentication.
    Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

4.Take all the values you received in step 3 and add Mozilla/5.0 to the end as an allowed user-agent.

Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”, “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0”)

5.Restart the ADFS service on each of the ADFS servers for the changes to take effect. You do not need to make any changes to the proxy servers.