Unifying the logon experience with ADFS

Unifying the logon experience with ADFS

After rolling out ADFS, you may have noticed that the login experience with IE is different than in Chrome while on your internal network.

This is due to two things, Windows Integrated Authentication and the user agent strings.

In IE, the default behavior is to log you in automatically with the current users credentials. This is why when you connect to an intranet SharePoint site you are logged in without being prompted for your username or password. This feature is called “Windows Integrated Authentication”.

You can verify this is enabled by going into Control Panel > Internet Options > Advanced Tab and scroll down to the Security section. This should work with any internal application. If it isn’t, you may need to add the site to your “Intranet Zone”. For example – “adfs.externaldomain.com” or “sso.externaldomain.com” or whatever your ADFS FQDN is.

With that in place, your users should now be seamlessly logged into their applications while using IE. But you may notice that Chrome is still sending users to the forms based login. This second part is due to the agent strings that ADFS recognizes.

By default, only IE agent strings are added. To find out what agent strings your system recognizes, open PowerShell prompt on your ADFS server and run this command – Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

In this example I am adding “Chrome” as that is what we use in our environment. To do this, run the following command:

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)

And that is it! No need to restart any services or reboot servers. It should take effect immediately and now the seamless login process is the same for Chrome and IE.

Leave a Reply

Your email address will not be published. Required fields are marked *