Back
Featured image of post Make ADFS Work with Windows 10 and Edge
PowerShell

Make ADFS Work with Windows 10 and Edge

During a Windows 10 Pilot a customer told me, that on Windows 10 Systems the ADFS didn't work as expected when they use EDGE.

Intranet Users with EDGE get the regular SSO Page like like an external user.

With a few tweaks, I could solve that and now the Single-Sign-On via ADFS works like on Internet Explorer:

<#
  Tweaked Version that prevents the Auth Pop-Up on non Windows devices a bit better
  These Devices should get the regular Forms based (HTML Page) instead.

  I was asked: Nope, 'Mozilla/5.0 (Windows NT' is correct, not an error ;-)
#>

# Execute this on your ADFS Server
# If you have more then one, use your primary ADFS server, this is essential!
Set-ADFSProperties -ExtendedProtectionTokenCheck None

# Should be:
# MSAuthHost/1.0/In-Domain
# MSIE 6.0
# MSIE 7.0
# MSIE 8.0
# MSIE 9.0
# MSIE 10.0
# Trident/7.0
# MSIPC
# Windows Rights Management Client

# Check the NTLM enables User Agents
Get-ADFSProperties | Select-Object -ExpandProperty WIASupportedUserAgents

# Now we append the User Agent 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT' to the List
Set-ADFSProperties -WIASupportedUserAgents @('MSIE 6.0', 'MSIE 7.0', 'MSIE 8.0', 'MSIE 9.0', 'MSIE 10.0', 'Trident/7.0', 'MSIPC', 'Windows Rights Management Client', 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT')

# Optional: Handle the Fallback for non Windows devices a bit better
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication') -WindowsIntegratedFallbackEnabled $true

# Restart the ADFS services# If you have more then one ADFS Server, you need to execute that against all of them!
Restart-Service -Name adfssrv

# Check that the ADFS Service is running
Get-Service -Name adfssrv

# Check the NTLM enables User Agents
Get-ADFSProperties | Select-Object -ExpandProperty WIASupportedUserAgents

# Now it should be:
# MSIE 6.0
# MSIE 7.0
# MSIE 8.0
# MSIE 9.0
# MSIE 10.0
# Trident/7.0
# MSIPC
# Windows Rights Management Client
# Windows NT 10.0; WOW64; Trident/7.0
# Edge/1
# Mozilla/5.0 (Windows NT

# More Info: https://technet.microsoft.com/en-us/library/ee892317.aspx

Code should be documented enough inline, so the GIST is the documentation 😉

Update: After a bit more testing, I found that the old ‘-WIASupportedUserAgents' wasn’t the best guess. I fixed that and mobile devices now get the Forms based login instead of the Auth Pop-Up.

Here is the Change:

Set-ADFSProperties -WIASupportedUserAgents @('MSIE 6.0', 'MSIE 7.0', 'MSIE 8.0', 'MSIE 9.0', 'MSIE 10.0', 'Trident/7.0', 'MSIPC', 'Windows Rights Management Client', 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT')

And you might also want to consider this:

Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @( 'WindowsAuthentication', 'FormsAuthentication' ) -WindowsIntegratedFallbackEnabled $true

Tested with ADFS on Windows Server 2012R2 and on Server 2016.

Copyright © 2016 - 2021 by Joerg Hochwald. All rights reserved.