This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
When my web application is sending the browser to ADFS for authentication, ADFS is challenging the user with "BASIC Authentication"
As a result, browser is asking user to provide username and password.
My problem is, if I am using Firefox I get the standard HTML basic-auth popup as attached in the screen-shot.
However, if I am using Edge then I am seeing the native "windows security" popup as attached in the screen-shot.
My understanding is that this is the default interpretation of Edge browser to resolve basic-authentication.
I do not want edge to behave this way.
Is it possible to configure edge to take the standard html popup route ??
No you are not getting the point.
I know IWA and seamless authentication very will.
I have not explained the full context and usecase, but my ask is very simple.
I want to fallback to basic-auth. Period.
It is happening on firefox and google.
Edge is over-smarting (lack of better word) and showing me the native windows security popup. I do not want it.
No you are not getting the point.
I have not explained the full context and usecase
Tricky indeed :)
It's not edge doing it. It is ADFS. ADFS has a list of user-agent-string that supports IWA. When EDGE connects to ADFS, ADFS knows it supports IWA and triggers what you see. Although, if the Internet Settings of the machine were configured to accept IWA for the FQDN of the ADFS farm, the login would be silent. I know you don't want that, but that's the best way to avoid some attacks based on key logging. FBA being the worst since it is open to these attacks and desensitize users to type passwords.
You cannot change that behavior without affecting other apps as the list of IWA supported user-agent-strings is a farm setting. You could remove the user-agent-string of Edge but then you would have no supported browsers on which IWA will be supported which is kinda the same as having disable IWA via the authentication policies.
Unless you are using ADFS for other built-in Windows things like Office or Windows Hello for Business. If that's the case then removing the user-agent-string of Edge will not be the equivalent of disabling IWA. But we can only speculate as we don't have the full context and usecases.
If you have only a subset of machines on which you'd like to avoid that pop-up and on which you don't want IWA, you could modify the user-agent-string of the Edge clients. That way when they show up on ADFS they will be having FBA.
Documentation about the list of UAS can be found here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia
Note that when someone asks for a configuration that leads to less security, we need to ask more context and specifics. Maybe you might be aware of the risks, but this question is on a public platform. Someone might stumble on this and end up going FBA all the way not realizing of the associated risks. I know it's annoying if you feel you already know that, but we need to make sure the risks are discussed for others too.
Thanks @Pierre Audonnet - MSFT for writing so nice in detail. Appreciate it.
Keeping out all the good to have, industry practice etc. thing, and if we focus on the issue, I am still having disconnect.
I am least concern what handshakes happen between Edge and ADFS, least concern about what settings are done on Edge and ADFS to support IWA
the bottom line is IWA is first choice in ADFS to try out and it will definitely fail ( may be after several exchanges, may be right off the bat. ) I do not care.
Once IWA fails is where the discussion starts.
Who decided to show me the "windows security" popup and NOT BASIC-AUTH
Also let's use the right terminology. When you say FBA meaning we are talking about the the form prepared by my company to take username-password.
We are not atall talking about FBA
We are talking about BASIC-AUTH (i have put the picture in the top of the thread)
Thanks.
Chrome and Firefox is falling back on BASIC-AUTH but Edge is NOT
I thought that both popups you were showing were Windows Integrated Authentication pop-ups. And that's with this assumption that I started interacting in this thread as what you claimed (fall-back to basic auth) isn't a real thing in ADFS (or at least so think I).
What is the URL of your browser when you see that pop-up?
Is that it in /adfs/ls...? There are no basic authentication handler. It is just not there. Even if you wanted to use it.
The only "fall-back" we have in ADFS is the one I described when the user-agent-string is not in the list of supported UAS for IWA, ADFS display the Form Based Authentication page (the HTLM rendering of the form). This is governed by a setting you can see with: Get-ADFSGlobalAuthenticationPolicy and the parameter WindowsIntegratedFallbackEnabled. And in that case it does not try IWA (since ADFS knows it is not supported) but instead present the user directly with the HTML form.
"Once IWA fails is where the discussion starts."
Are you super sure what you see is basic authentication? What version of ADFS are you using (what OS)? Could you share a trace that shows the "WWW-Authenticate: Basic" header? And if so, what is the URL you are hitting? And are they other network equipments in between?
Because if you fail at IWA, the authentication is over. There is no fallback with ADFS sending you a "WWW-Authenticate: Basic" header. Regarless of the browser. If that turns out to actaully be basic auth, it is not available on my 2012 R2, 2016 and 2019 machines.
Thanks @Pierre Audonnet - MSFT
Yes, I agree with you that ADFS might not be doing truly "WWW-Authenticate: Basic"
The reason I declared and assumed that it is WWW-Authenticate: Basic is because
So far we are on the same page.
The only thing left is why this FBA is not manifested as true HTML Rendering in case of Edge ?
If you see my first screen shot at the top of the thread, it is Windows-Security Popup.
I do not think it is HTML. Is it ?
Following is my logical understanding. Please correct me if I am wrong.
As you explained, if the settings on the ADFS side concludes that IWA is not possible in the first place then ADFS will straight away shows the **HTML popup **
However,
if ADFS starts with IWA and if the browser is not capable to submit the kerberos Service-ticket then Windows-Security Popup. is employed.
Technically both are FBA. The GUI interface is different.
Thanks.
I think now I have better way to explain. So far we were talking more or less same thing but in different format.
Please focus on these 2 screens. One is from Chrome and other is from Edge.
If you notice, both have /adfs/ls/wia in URL
Meaning both user-agents are configured in ADFS to do WIA
There is no fallback required.
As expected, the WIA is failing at the browser-end and hence both browsers are showing the popup to collect credentials.
Popup for chrome is NOT "windows security challenge"
Can we have same for Edge ?
Also I have NOT done any configuration on any browser settings (local intranet site etc)
Thanks for being with me so far !!!
Thanks.
what do you think ? Is it interesting or I am just building castles in the air ?
This "windows security challenge" is a big issue for us.