question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked testuser7-8288 answered

ADFS basic authentication


Hello,

When my web application is sending the browser to ADFS for authentication, ADFS is challenging the user with "BASIC Authentication"
As a result, browser is asking user to provide username and password.

My problem is, if I am using Firefox I get the standard HTML basic-auth popup as attached in the screen-shot.
However, if I am using Edge then I am seeing the native "windows security" popup as attached in the screen-shot.
My understanding is that this is the default interpretation of Edge browser to resolve basic-authentication.
I do not want edge to behave this way.

Is it possible to configure edge to take the standard html popup route ??



138186-image.png


138214-image.png



adfs
image.png (756.3 KiB)
image.png (102.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered

Hello @testuser7-8288

Try below steps and see if this is the experience you are looking for

You could open Internet Options and check the User Authentication option:

Type "Internet Options" in the search box next to the Start menu button.

Open Internet Options and click on Security tab.

If the site is in Internet zone, click on Internet and under Security level click on Custon level.

Scroll down for User Authentication and check if you have checked Prompt for user name and password.

Choose other options if you have checked Prompt for user name and password.

Click OK, Apply then restart the browser to try again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered

This is not basic authentication, it is likely a Integrated Windows Authentication, not a basic auth.

The troubleshooting steps are available here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-iwa

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered piaudonn commented

I guess I did not explain properly.

Yes, you are right. Meaning ADFS is configured to first try Integrated Windows Authentication.
It will definitely fail in my case.

So when it fails, what is the fallback authentication ?
My understanding is it is "Basic Auth"
and for that I want the pure HTML based basic-auth popup.

I do not want "windows security" popup.

Do you think it is possible ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Basic Auth means something special. It meas that your username and password will transit in clear text (base64 encoded to pe precised) on the network. This is NOT what this popup is. This popup is showing up because your browser is not configured properly to handle Integrated Windows Authentication. If you configure your browser as suggested in the article I sent, you will have SSO and will not be prompted for username or password in a popup or in a web form. That's the best way to authenticate.

If you don't want SSO and want to force the user to type her or his password in a webform (less secure), then you can change the Authentication Policy on your ADFS farm and enable only Form Based Authentication.


138617-image.png

But if your machines are domain joiend, that's bad idea.

0 Votes 0 ·
image.png (53.9 KiB)
NahuelVacca-1228 avatar image
0 Votes"
NahuelVacca-1228 answered NahuelVacca-1228 edited

Hi,

If you are not going to use IWA, you might want to go to your ADFS server and disable Windows Authentication and allow forms authentication so that you don't get that authentication pop up. That Authentication Window is a Basic Authentication Popup because Negotiate (Kerberos, then NTLM) has failed.

138646-image.png



image.png (40.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered piaudonn edited

Thanks @NahuelVacca-1228

No, I can not disable Windows Authentication.
But when Windows Authentication fails (because of any reason which is not important), I want user to see pure HTML Basic-authentication popup as fallback.

How can we do that ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You want to create the conditions for single sign on. That's more important in my opinion.

You can configure the application to request FBA. But that is something to do on the application level, not in ADFS.

FBA is the least secure way to authenticate users...

0 Votes 0 ·
testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered testuser7-8288 commented

No you are not getting the point.
I know IWA and seamless authentication very will.

I have not explained the full context and usecase, but my ask is very simple.

I want to fallback to basic-auth. Period.
It is happening on firefox and google.

Edge is over-smarting (lack of better word) and showing me the native windows security popup. I do not want it.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No you are not getting the point.
I have not explained the full context and usecase

Tricky indeed :)

It's not edge doing it. It is ADFS. ADFS has a list of user-agent-string that supports IWA. When EDGE connects to ADFS, ADFS knows it supports IWA and triggers what you see. Although, if the Internet Settings of the machine were configured to accept IWA for the FQDN of the ADFS farm, the login would be silent. I know you don't want that, but that's the best way to avoid some attacks based on key logging. FBA being the worst since it is open to these attacks and desensitize users to type passwords.

You cannot change that behavior without affecting other apps as the list of IWA supported user-agent-strings is a farm setting. You could remove the user-agent-string of Edge but then you would have no supported browsers on which IWA will be supported which is kinda the same as having disable IWA via the authentication policies.

Unless you are using ADFS for other built-in Windows things like Office or Windows Hello for Business. If that's the case then removing the user-agent-string of Edge will not be the equivalent of disabling IWA. But we can only speculate as we don't have the full context and usecases.

If you have only a subset of machines on which you'd like to avoid that pop-up and on which you don't want IWA, you could modify the user-agent-string of the Edge clients. That way when they show up on ADFS they will be having FBA.

0 Votes 0 ·

Documentation about the list of UAS can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia

Note that when someone asks for a configuration that leads to less security, we need to ask more context and specifics. Maybe you might be aware of the risks, but this question is on a public platform. Someone might stumble on this and end up going FBA all the way not realizing of the associated risks. I know it's annoying if you feel you already know that, but we need to make sure the risks are discussed for others too.

0 Votes 0 ·

Thanks @piaudonn for writing so nice in detail. Appreciate it.

Keeping out all the good to have, industry practice etc. thing, and if we focus on the issue, I am still having disconnect.

I am least concern what handshakes happen between Edge and ADFS, least concern about what settings are done on Edge and ADFS to support IWA
the bottom line is IWA is first choice in ADFS to try out and it will definitely fail ( may be after several exchanges, may be right off the bat. ) I do not care.

Once IWA fails is where the discussion starts.
Who decided to show me the "windows security" popup and NOT BASIC-AUTH



Also let's use the right terminology. When you say FBA meaning we are talking about the the form prepared by my company to take username-password.
We are not atall talking about FBA

We are talking about BASIC-AUTH (i have put the picture in the top of the thread)


Thanks.







0 Votes 0 ·
testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered piaudonn commented

Chrome and Firefox is falling back on BASIC-AUTH but Edge is NOT

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I thought that both popups you were showing were Windows Integrated Authentication pop-ups. And that's with this assumption that I started interacting in this thread as what you claimed (fall-back to basic auth) isn't a real thing in ADFS (or at least so think I).

What is the URL of your browser when you see that pop-up?
Is that it in /adfs/ls...? There are no basic authentication handler. It is just not there. Even if you wanted to use it.

The only "fall-back" we have in ADFS is the one I described when the user-agent-string is not in the list of supported UAS for IWA, ADFS display the Form Based Authentication page (the HTLM rendering of the form). This is governed by a setting you can see with: Get-ADFSGlobalAuthenticationPolicy and the parameter WindowsIntegratedFallbackEnabled. And in that case it does not try IWA (since ADFS knows it is not supported) but instead present the user directly with the HTML form.

"Once IWA fails is where the discussion starts."

Are you super sure what you see is basic authentication? What version of ADFS are you using (what OS)? Could you share a trace that shows the "WWW-Authenticate: Basic" header? And if so, what is the URL you are hitting? And are they other network equipments in between?
Because if you fail at IWA, the authentication is over. There is no fallback with ADFS sending you a "WWW-Authenticate: Basic" header. Regarless of the browser. If that turns out to actaully be basic auth, it is not available on my 2012 R2, 2016 and 2019 machines.


0 Votes 0 ·
testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered

Thanks @piaudonn

Yes, I agree with you that ADFS might not be doing truly "WWW-Authenticate: Basic"
The reason I declared and assumed that it is WWW-Authenticate: Basic is because
1. the popup was indeed from /adfs/ls..
2. the popup was indeed true html popup (which you are calling Form-Based-Authentication FBA) in case of Chrome and Firefox


So far we are on the same page.
The only thing left is why this FBA is not manifested as true HTML Rendering in case of Edge ?
If you see my first screen shot at the top of the thread, it is Windows-Security Popup.

I do not think it is HTML. Is it ?

Following is my logical understanding. Please correct me if I am wrong.

As you explained, if the settings on the ADFS side concludes that IWA is not possible in the first place then ADFS will straight away shows the HTML popup
However,
if ADFS starts with IWA and if the browser is not capable to submit the kerberos Service-ticket then Windows-Security Popup. is employed.
Technically both are FBA. The GUI interface is different.


Thanks.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered

Hi @piaudonn

I think now I have better way to explain. So far we were talking more or less same thing but in different format.
Please focus on these 2 screens. One is from Chrome and other is from Edge.
If you notice, both have /adfs/ls/wia in URL
Meaning both user-agents are configured in ADFS to do WIA
There is no fallback required.

As expected, the WIA is failing at the browser-end and hence both browsers are showing the popup to collect credentials.
Popup for chrome is NOT "windows security challenge"
Can we have same for Edge ?

Also I have NOT done any configuration on any browser settings (local intranet site etc)


139581-image.png
139528-image.png




Thanks for being with me so far !!!
Thanks.


image.png (773.0 KiB)
image.png (624.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered

@piaudonn

what do you think ? Is it interesting or I am just building castles in the air ?

This "windows security challenge" is a big issue for us.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.