Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-05-11) Configuring Windows Integrated AuthN For Internet Explorer Against ADFS v3.0 And Higher

Posted by Jorge on 2015-05-11


ADFS by default supports multiple authentication mechanisms, being certificate authentication, forms based authentication (FBA) and Windows Integrated Authentication (WIA). For non-domain joined clients or clients on the extranet, FBA is the best option. For domain-joined client on the intranet, WIA is the best option to use. In the last scenario WIA delivers the best SSO experience for the user. To support WIA, the backend, the client and the ADFS server(s) must be configured to support WIA.

[1] To support WIA on the backend the following must be true:

  • The ADFS service account must be configured with a service principal name "HOST/<Federation Service FQDN>" (e.g. HOST/FS.COMPANY.COM)

[2] To support WIA on the client/browser the following must be true:

  • The browser must support JavaScript and have it enabled–> For IE this is enabled by default. However, if you have disabled it follow the next steps to re-enable it:
    • Start Internet Explorer
    • "Tools" menu/button
    • Click "Internet Options"
    • Click the "Security" tab
    • Click the "Local Intranet" or "Trusted Sites" zone (assuming Federation Service FQDN is listed in either one!)
    • Click "Custom Level"
    • In the "Security Settings" Window –> "Scripting" Section –> Select "Enable" for Active Scripting
    • Click "OK" 2x
  • The browser must support and enable the use of cookies for sites in the Local Intranet or Trusted Sites zone –> For IE this is enabled by default as all cookies are automatically accepted or replayed from Web sites in both the Local Intranet and the Trusted zones
  • WIA is enabled in the browser –> For IE this is enabled by default. However, if you have disabled it follow the next steps to re-enable it:
    • Start Internet Explorer
    • "Tools" menu/button
    • Click "Internet Options"
    • Click the "Advanced" tab
    • In the "Settings" Window –> "Security" Section –> Check "Enable Integrated Windows Authentication"
    • Click "OK"
  • The federation service FQDN must be trusted –> For IE this federation service FQDN is configured in either the "Local Intranet" zone or the "Trusted Sites" zone. To add the Federation Service FQDN manually to either zone follow the next steps:
    • Start Internet Explorer
    • "Tools" menu/button
    • Click "Internet Options"
    • Click the "Security" tab
    • Click the "Local Intranet" or "Trusted Sites" zone
      • "Local Intranet" –> Click "Sites" –> Click "Advanced" –> Add Federation Service FQDN to the list
      • "Trusted Sites" –> Click "Sites" –> Add Federation Service FQDN to the list
    • Click "OK"

[3] To support WIA against the ADFS STS server(s) the following must be true:

  • WIA must be enabled as an authentication method on the intranet
  • The user agent of the browser must be known to ADFS. By default ADFS v3.0 and higher, the following user agent strings are supported (retrieved through "(Get-AdfsProperties).WIASupportedUserAgents")
    • MSAuthHost/1.0/In-Domain <– ADFS v4.0 and higher
    • MSIE 6.0 <– ADFS v3.0 and higher
    • MSIE 7.0 <– ADFS v3.0 and higher
    • MSIE 8.0 <– ADFS v3.0 and higher
    • MSIE 9.0 <– ADFS v3.0 and higher
    • MSIE 10.0 <– ADFS v3.0 and higher
    • Trident/7.0 <– ADFS v3.0 and higher
    • MSIPC <– ADFS v3.0 and higher
    • Windows Rights Management Client <– ADFS v3.0 and higher
    • MS_WorkFoldersClient <– ADFS v4.0 and higher

So how do you know the state of your browser? Check it out yourself and just navigate to the website What’s My User Agent?

In my case the browser I was using, Internet Explorer v9.0, provided the shown user agent string and the yellow marked part matched what already was configured in ADFS

SNAGHTMLa6c2a2b

Figure 1: The User Agent String And Status Of Internet Explorer 9.0

The following is an analysis of the provided user agent string

image

Figure 2: Analysis Of The Provided User Agent String

So, for Internet Explorer you only need to meet the prerequisites as mentioned in [1] and [2]. For future versions of Internet Explorer you may need to also do [3] and update the user agent strings in ADFS that must support seamless SSO through WIA

To configure a new supported user agent string in ADFS, while taking the existing user agent strings into account, use the following PowerShell commands on (primary) ADFS server:

Import-Module ADFS

Set-ADFSProperties -WIASupportedUserAgents $((Get-ADFSProperties).WIASupportedUserAgents + "<Required User Agent String>")

That’s it! You should now be able to use Internet Explorer and experience seamless SSO!

For other user agent strings also see:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2015-05-11) Configuring Windows Integrated AuthN For Internet Explorer Against ADFS v3.0 And Higher”

  1. […] (2015-05-11) Configuring Windows Integrated AuthN For Internet Explorer Against ADFS v3.0 And Higher […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: