Intranet Users with EDGE get the regular SSO Page like like an external user.
With a few tweaks, I could solve that and now the Single-Sign-On via ADFS works like on Internet Explorer:
<#
Tweaked Version that prevents the Auth Pop-Up on non Windows devices a bit better
These Devices should get the regular Forms based (HTML Page) instead.
I was asked: Nope, 'Mozilla/5.0 (Windows NT' is correct, not an error ;-)
#>
# Execute this on your ADFS Server
# If you have more then one, use your primary ADFS server, this is essential!
Set-ADFSProperties -ExtendedProtectionTokenCheck None
# Should be:
# MSAuthHost/1.0/In-Domain
# MSIE 6.0
# MSIE 7.0
# MSIE 8.0
# MSIE 9.0
# MSIE 10.0
# Trident/7.0
# MSIPC
# Windows Rights Management Client
# Check the NTLM enables User Agents
Get-ADFSProperties | Select-Object -ExpandProperty WIASupportedUserAgents
# Now we append the User Agent 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT' to the List
Set-ADFSProperties -WIASupportedUserAgents @('MSIE 6.0', 'MSIE 7.0', 'MSIE 8.0', 'MSIE 9.0', 'MSIE 10.0', 'Trident/7.0', 'MSIPC', 'Windows Rights Management Client', 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT')
# Optional: Handle the Fallback for non Windows devices a bit better
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication', 'FormsAuthentication') -WindowsIntegratedFallbackEnabled $true
# Restart the ADFS services# If you have more then one ADFS Server, you need to execute that against all of them!
Restart-Service -Name adfssrv
# Check that the ADFS Service is running
Get-Service -Name adfssrv
# Check the NTLM enables User Agents
Get-ADFSProperties | Select-Object -ExpandProperty WIASupportedUserAgents
# Now it should be:
# MSIE 6.0
# MSIE 7.0
# MSIE 8.0
# MSIE 9.0
# MSIE 10.0
# Trident/7.0
# MSIPC
# Windows Rights Management Client
# Windows NT 10.0; WOW64; Trident/7.0
# Edge/1
# Mozilla/5.0 (Windows NT
# More Info: https://technet.microsoft.com/en-us/library/ee892317.aspx
Code should be documented enough inline, so the GIST is the documentation 😉
Update: After a bit more testing, I found that the old ‘-WIASupportedUserAgents’ wasn’t the best guess. I fixed that and mobile devices now get the Forms based login instead of the Auth Pop-Up.
Here is the Change:
Set-ADFSProperties -WIASupportedUserAgents @('MSIE 6.0', 'MSIE 7.0', 'MSIE 8.0', 'MSIE 9.0', 'MSIE 10.0', 'Trident/7.0', 'MSIPC', 'Windows Rights Management Client', 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT')
And you might also want to consider this:
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @( 'WindowsAuthentication', 'FormsAuthentication' ) -WindowsIntegratedFallbackEnabled $true
Tested with ADFS on Windows Server 2012R2 and on Server 2016.