Windowsserverdocs: Didn't work for 2012 R2 ADFS

Created on 28 Sep 2018  Â·  4Comments  Â·  Source: MicrosoftDocs/windowsserverdocs

Hi,
I tried the instructions above, but they didn't work. Using "Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)" to add Chrome to my existing list didn't provide SSO for Chrome. This resulted in the WIASupportedUserAgents being:

MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
Mozilla/5.0
Edge/12
Chrome

I then restarted ADFS services and tested, but no luck. The browser user agent string from Chrome reports as below from whoishostingthis. Does the entire string below need adding? If so, does it need updating for new Chrome versions?

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36


Document Details

âš  Do not edit this section. It is required for docs.microsoft.com âžź GitHub issue linking.

Pri2 assigned-to-author identity windows-server-thresholprod

Most helpful comment

Our issue was that, when using Mozilla/5.0 as a user agent, it would also pick up iOS devices on the corporate wifi using Safari or Chrome and try to pass in windows credentials. On websites, this would cause a browser dialog to open (instead of the forms page) and on native apps using ADFS sign in it wouldn't work at all. In order to get around this, we needed to add "Windows\sNT.Chrome" to the user agent list so that it only picked up Chrome on windows and not Safari/Chrome on iOS devices.

All 4 comments

Any update on this issue? We're running into the same problem.

Hi, Mozilla/5.0 should cover all of Chrome, as far as I know. Did you remember to update your Authentication Policies in AD FS Management and update the end user's Security settings (as follows)? In addition, once updating WIASupportedUserAgents, you need to open Services to restart the Active Directory Federation Services service on each of the ADFS farm servers for the changes to take effect. You do not need to make any changes to the proxy servers.

Update Authentication Policies:
Open ADFS Management.
Click Authentication Policies.
Click Edit Global Primary Authentication.
In Primary Authentication, Global Settings, Authentication Methods, click Edit.
In the intranet section, select Windows Authentication. Optionally select Forms Authentication. Forms Authentication allows users who cannot use IWA, such as Linux and Mac users, to authenticate with SAML.

In end user’s browser…

  1. Internet Options>Security
  2. Select Local intranet and click “Sites”
  3. Click “Advanced”
  4. Enter full https URL of AD FS service and click Add
    These configurations can be pushed to all end users via Group Policy

Our issue was that, when using Mozilla/5.0 as a user agent, it would also pick up iOS devices on the corporate wifi using Safari or Chrome and try to pass in windows credentials. On websites, this would cause a browser dialog to open (instead of the forms page) and on native apps using ADFS sign in it wouldn't work at all. In order to get around this, we needed to add "Windows\sNT.Chrome" to the user agent list so that it only picked up Chrome on windows and not Safari/Chrome on iOS devices.

(Ref. #4342)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bryhall picture bryhall  Â·  3Comments

ElimAdmin picture ElimAdmin  Â·  3Comments

gynnantonix picture gynnantonix  Â·  5Comments

SimonWaters picture SimonWaters  Â·  5Comments

yoshihirok picture yoshihirok  Â·  4Comments