SAML with integrated windows authentication

JoeS-0122 41

Hello, I successfully got SAML setup with ADFS with a third party site. I am attempting to have someone login to windows and access the thirdparty site and auto logins to ADFS. To do this, I read that i needed to enable WIA and make sure the browsers are configured to allow it.

These were the articles I followed:
Below are the articles I followed:
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_preparing_ie_for_adfs.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
https://support.classlink.com/hc/en-us/articles/360010601593-ADFS-Windows-Integrated-Authentication-WIA-

When i go to the thirdparty site after making the configurations, I get redirected to our ADFS client page and prompted for signin.

Below are some screenshots of changes I made:

Can someone provide some assistance? Is there a step I am missing? I set this up in windows 2019, I am using a windows 10 client with IE11 and edge. Both do the same.

Joy Qiao 4,901 Reputation points Microsoft Employee

2020-11-10T01:51:05.34+00:00

Hi,

This is Joy from Microsoft Windows Support team.

After checked your issue, we think it is more related with ADFS. So we delete your previous Windows Server tag and change it to ADFS to help you get a professional support from ADFS engineer.

Thank you for your understanding.

Bests,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
JoeS-0122 41 Reputation points

2020-11-10T13:03:00.973+00:00

I checked and it is currently set to ADFS

1 answer

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2020-11-10T18:49:13.013+00:00

Make sure the FQDN of your ADFS farm is a A record and not a CNAME.
Please sign in to rate this answer.
JoeS-0122 41 Reputation points

2020-11-16T03:31:25.343+00:00

In the DNS Server? I checked and it is an A record. Still not working however

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2020-11-16T15:37:17.57+00:00

And is that working once you enter the creds in the pop-up? Or is that looping and you get another popup?

Also, try with a test account freshly created too, to check the issue is not related to another config on the user account (or a large group membership for example).

JoeS-0122 41 Reputation points

2020-11-16T17:00:31.037+00:00

Yes, It asks for domain credentials and when i enter them, It allows access to adfs and then to the thirdparty site.

The only component that isnt working seems to be the auto login which IWA should occur when the user logs into the account. I am testing with a standard user account. This user account has access to the 3rd party application. The service account just uses administrator. I do not see how creating another account will make any difference

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2020-11-16T17:23:37.127+00:00

I was asking about trying with a vanilla user because things such as:

userWorkstations attribute

Kerberos Authentication Policies

User Right Assignment on the ADFS servers

Size of the Kerberos ticket
... can affect the user SSO experience. If we can't repro with a vanilla user then we know we are not dealing with an ADFS issue but with an server/infra issue.
If you knew about these aspects and checked already that's fine, but you didn't mention it so I figured I would ask.
Check with the Developper mode of your browser what user-agent-string you send:

Copy the full string here and we'll see what we have to customize on the ADFS side.

JoeS-0122 41 Reputation points

2020-11-16T19:05:59.82+00:00

I made a couple fixed and now it no longer gives the error. I setup another username and right away when i go to the third party, it says access denied. I need to have them create a test user for me to confirm whether I am still having problems. Once i do, I will provide a screenshot.

One thing i noticed is that there is an article about SPN's which I completely do not understand. I wonder if the problem is related to that(if it is still occurring).

JoeS-0122 41 Reputation points

2020-11-16T19:17:41.723+00:00

They created a user for me and I found the issue is still occurring. I do not get auto logged in like i think i should

Any ideas?

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2020-11-17T03:46:12.607+00:00

You can try by adding "Mozilla/5.0" to the list of supported user agents.

JoeS-0122 41 Reputation points

2020-11-17T13:21:57.14+00:00

I did this even though im not actually using firefox
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
MSIE 6.0
MSIE 7.0; Windows NT
MSIE 8.0
MSIE 9.0
MSIE 10.0; Windows NT 6
Windows NT 6.3; Trident/7.0
Windows NT 6.3; Win64; x64; Trident/7.0
Windows NT 6.3; WOW64; Trident/7.0
Windows NT 6.2; Trident/7.0
Windows NT 6.2; Win64; x64; Trident/7.0
Windows NT 6.2; WOW64; Trident/7.0
Windows NT 6.1; Trident/7.0
Windows NT 6.1; Win64; x64; Trident/7.0
Windows NT 6.1; WOW64; Trident/7.0
MSIPC
Windows Rights Management Client
Edg/*
Mozilla/5.0

Using new username i created yesterday i get the sign on:

setspn -L administrator

host/adfs.publicdomain(aka adfs federation name) http/adfs.publicdomain(aka adfs federation name) HTTP/adfs2 HTTP/adfs2.private domain

Anything else i can provide you to assist in diagnosing?

JoeS-0122 41 Reputation points

2020-11-17T13:59:34.67+00:00

I did this even though im not actually using firefox
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
MSIE 6.0
MSIE 7.0; Windows NT
MSIE 8.0
MSIE 9.0
MSIE 10.0; Windows NT 6
Windows NT 6.3; Trident/7.0
Windows NT 6.3; Win64; x64; Trident/7.0
Windows NT 6.3; WOW64; Trident/7.0
Windows NT 6.2; Trident/7.0
Windows NT 6.2; Win64; x64; Trident/7.0
Windows NT 6.2; WOW64; Trident/7.0
Windows NT 6.1; Trident/7.0
Windows NT 6.1; Win64; x64; Trident/7.0
Windows NT 6.1; WOW64; Trident/7.0
MSIPC
Windows Rights Management Client
Edg/*
Mozilla/5.0

Using new username i created yesterday i get the sign on:

setspn -L administrator
host/adfs.publicdomain(aka adfs federation name)
http/adfs.publicdomain(aka adfs federation name)
HTTP/adfs2
HTTP/adfs2.private domain

Anything else i can provide you to assist in diagnosing?

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2020-11-17T14:31:41.047+00:00

The SPNs with the FQDN of your farm must be set ONLY on the service account used by your ADFS farm.

JoeS-0122 41 Reputation points

2020-11-17T14:35:19.577+00:00

Can you give me example as to what values should be set?
Can you provide a screenshot as well?

Lets say my private domain is josephprivdomain.local
Let's say my public domain is josephpublicdomain.net

I want my service account to be administrator which it is set.
How should the host/http values look?

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2020-11-17T15:23:09.533+00:00

and what is the FQDN of your ADFS farm then? It can only be in one domain.

JoeS-0122 41 Reputation points

2020-11-17T15:30:24.057+00:00

The FQDN is my public domain, i ommitted the real name as it is a test environment.
adfs.josephpublicdomain.net

Therefore should i just have these values?
host/adfs.josephpublicdomain.net(aka adfs federation name)
http/adfs.josephpublicdomain.net(aka adfs federation name)

JoeS-0122 41 Reputation points

2020-11-23T13:10:08.8+00:00

Hello, Any updates on this?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

SAML with integrated windows authentication

1 answer

Your answer