Hello Chris,
Thank you for your question and for reaching out with your question today.
In scenario #2, where you are not prompted for a username and password when accessing AD FS and instead receive a response with "Negotiate/NTLM" in the header, it indicates that Integrated Windows Authentication (IWA) is enabled and functioning correctly. However, the Windows Security pop-up (credential prompt) does not appear in your JavaScript application.
The behavior you are experiencing is not a limitation of JavaScript-built Windows applications but rather a browser-specific behavior. By default, most browsers do not display the Windows Security pop-up when making cross-origin requests (requests from a different domain) using XMLHttpRequest or fetch API from JavaScript. This behavior is designed to prevent unauthorized access to user credentials.
To overcome this limitation, you can use the following approaches:
- Proxy Server: Set up a proxy server that runs on the same domain as your JavaScript application and forwards requests to AD FS. By doing this, your JavaScript application can make requests to the proxy server instead of directly to AD FS. Since the requests are made to the same domain, the browser will display the Windows Security pop-up.
- Server-Side Proxy: Implement a server-side component (e.g., a web API) on your application server that acts as a proxy for AD FS. Your JavaScript application would make requests to the server-side component, which then forwards the request to AD FS. The server-side component can handle the authentication and pass the response back to the JavaScript application.
- AD FS Web Forms-Based Authentication: If possible, you can configure AD FS to use Web Forms-Based Authentication instead of Windows Authentication. With this configuration, AD FS presents a web-based login form instead of the Windows Security pop-up, allowing users to enter their credentials directly in the browser.
- OAuth/OpenID Connect: Consider using OAuth or OpenID Connect for authentication in your JavaScript application. These protocols provide a standardized way for web applications to authenticate and authorize users. AD FS supports both OAuth and OpenID Connect, and there are libraries and SDKs available for JavaScript that can help you integrate these protocols into your application.
It's important to note that the specific implementation details may vary depending on your application architecture and requirements. I recommend consulting the documentation and resources specific to your AD FS version and JavaScript framework for more detailed guidance on implementing these approaches.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Best regards.