ADFS basic authentication

Question

Hello,

When my web application is sending the browser to ADFS for authentication, ADFS is challenging the user with "BASIC Authentication"
As a result, browser is asking user to provide username and password.

My problem is, if I am using Firefox I get the standard HTML basic-auth popup as attached in the screen-shot.
However, if I am using Edge then I am seeing the native "windows security" popup as attached in the screen-shot.
My understanding is that this is the default interpretation of Edge browser to resolve basic-authentication.
I do not want edge to behave this way.

Is it possible to configure edge to take the standard html popup route ??

Answer 1

Hi @Pierre Audonnet - MSFT

As you stayed with me for long time to help me clarify this topic, I think it is my duty now to update that I found the solution.
It was actually simple.

There is a registry setting in Edge

Under HKLM\SOFTWARE\Policies\Microsoft\Edge, please create one D-Word with WindowsHelloForHTTPAuthEnabled = 0

That's it. This will completely turn off the "windows security prompt" and you will get the pure HTML prompt to put credentials.

Thanks.

Answer 2

Both of these pop-ups are "Windows Security Challenges" like you call them. Your browser is behaving as expected. It translates the WWW-Authenticate: Negotiate header into a pop-up. It does not mean you credentials will be sent in clear text, you will end up doing Kerberos or NTLM authentication (no basic as there are no handler for that).

I don't understand your position. What are you trying to do? What is the expected result? What is a big issue and why?

1. Do you want SSO to work? Meaning do you want to be seamlessly connected without having to type anything? If so, back to my first comment: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-iwa
2. Do you want Form Based Authentication (being prompted for username and password in HTML - this is NOT called a pop-up)? If so for all browsers? For all apps?

Answer 3

@Pierre Audonnet - MSFT

what do you think ? Is it interesting or I am just building castles in the air ?

This "windows security challenge" is a big issue for us.

Answer 4

Hi @Pierre Audonnet - MSFT

I think now I have better way to explain. So far we were talking more or less same thing but in different format.
Please focus on these 2 screens. One is from Chrome and other is from Edge.
If you notice, both have /adfs/ls/wia in URL
Meaning both user-agents are configured in ADFS to do WIA
There is no fallback required.

As expected, the WIA is failing at the browser-end and hence both browsers are showing the popup to collect credentials.
Popup for chrome is NOT "windows security challenge"
Can we have same for Edge ?

Also I have NOT done any configuration on any browser settings (local intranet site etc)

Thanks for being with me so far !!!
Thanks.

Answer 5

Thanks @Pierre Audonnet - MSFT

Yes, I agree with you that ADFS might not be doing truly "WWW-Authenticate: Basic"
The reason I declared and assumed that it is WWW-Authenticate: Basic is because

1. the popup was indeed from /adfs/ls..
2. the popup was indeed true html popup (which you are calling Form-Based-Authentication FBA) in case of Chrome and Firefox

So far we are on the same page.
The only thing left is why this FBA is not manifested as true HTML Rendering in case of Edge ?
If you see my first screen shot at the top of the thread, it is Windows-Security Popup.

I do not think it is HTML. Is it ?

Following is my logical understanding. Please correct me if I am wrong.

As you explained, if the settings on the ADFS side concludes that IWA is not possible in the first place then ADFS will straight away shows the **HTML popup **
However,
if ADFS starts with IWA and if the browser is not capable to submit the kerberos Service-ticket then Windows-Security Popup. is employed.
Technically both are FBA. The GUI interface is different.

Thanks.