AD FS with IWA enabled does not prompt for credentials in Windows Application

Chris_0110 20 Reputation points
2023-07-03T05:35:29.17+00:00

I have an AD FS server with Windows Authentication enabled. In my local computer, I am trying to to login to that AD FS using my JavaScript Windows Application via the Windows Security pop-up that appears on-screen. However, that Windows form does not appear when I select #2 below.

I have observed two distinct behaviors when the Internet Options > Advanced > Enable IWA is checked or unchecked:

#1) When unchecked, and I make a request to my AD FS, I am prompted for a username and password.

#2) When checked, and I make a request to my AD FS, I am not prompted for a username and password. My JavaScript application makes an additional request and is responded with 'Negotiate/NTLM'.

In #1, I am assuming that IWA is not set up correctly in my local computer. Strangely, I am prompted for a username and password.

In #2, IWA is set up correctly because I am responded with 401 that has "WWW-Authenticate: Negotiate, NTLM" in the header. However, after my application receives that response, I am not prompted with a username and password.

I am prompted for my credentials when trying to access AD FS in Edge and Chrome in both scenarios.

My question is, in my application, how do I make the Windows form (asking my credentials) to appear when I select #2? Is this a limitation in JavaScript-built Windows applications or does it have something to do with a missing setup?

Apologies if some of the terms I used are inaccurate. I am fairly new to setting up AD FS. Thank you!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,284 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,426 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,551 Reputation points
    2023-07-03T10:29:13.8933333+00:00

    Hello Chris,

    Thank you for your question and for reaching out with your question today.

    In scenario #2, where you are not prompted for a username and password when accessing AD FS and instead receive a response with "Negotiate/NTLM" in the header, it indicates that Integrated Windows Authentication (IWA) is enabled and functioning correctly. However, the Windows Security pop-up (credential prompt) does not appear in your JavaScript application.

    The behavior you are experiencing is not a limitation of JavaScript-built Windows applications but rather a browser-specific behavior. By default, most browsers do not display the Windows Security pop-up when making cross-origin requests (requests from a different domain) using XMLHttpRequest or fetch API from JavaScript. This behavior is designed to prevent unauthorized access to user credentials.

    To overcome this limitation, you can use the following approaches:

    1. Proxy Server: Set up a proxy server that runs on the same domain as your JavaScript application and forwards requests to AD FS. By doing this, your JavaScript application can make requests to the proxy server instead of directly to AD FS. Since the requests are made to the same domain, the browser will display the Windows Security pop-up.
    2. Server-Side Proxy: Implement a server-side component (e.g., a web API) on your application server that acts as a proxy for AD FS. Your JavaScript application would make requests to the server-side component, which then forwards the request to AD FS. The server-side component can handle the authentication and pass the response back to the JavaScript application.
    3. AD FS Web Forms-Based Authentication: If possible, you can configure AD FS to use Web Forms-Based Authentication instead of Windows Authentication. With this configuration, AD FS presents a web-based login form instead of the Windows Security pop-up, allowing users to enter their credentials directly in the browser.
    4. OAuth/OpenID Connect: Consider using OAuth or OpenID Connect for authentication in your JavaScript application. These protocols provide a standardized way for web applications to authenticate and authorize users. AD FS supports both OAuth and OpenID Connect, and there are libraries and SDKs available for JavaScript that can help you integrate these protocols into your application.

    It's important to note that the specific implementation details may vary depending on your application architecture and requirements. I recommend consulting the documentation and resources specific to your AD FS version and JavaScript framework for more detailed guidance on implementing these approaches.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.