AD FS always asks for Password even if sole authentication method is "Windows"

Markus Karg 6 Reputation points
2022-06-23T12:51:02.39+00:00

Windows Server 2022.
I am setting up AD FS on a local domain.
I have set primary authentication method to solely "Windows".
Hence, a user should never see a login screen, as he is already logged in to Windows.
The browser used is Edge.
But always the user is shown a form asking for username and password.
Request sent is for openid id_token solely.
What am I doing wrong?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
956 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Markus Karg 6 Reputation points
    2022-06-27T06:40:09.29+00:00

    I have solved the problem.

    In client's Internet Options, I added the AD FS host to the list of local sites. This is rather strange, as the check box to add all otherwise not listed sites is already checked.

    In server's AD FS Options, I added =~Windows\s*NT.*Chrome to WIASupportedUserAgents using Set-ADFSProperties. This is pretty strange, as apparently there is a typo in the original list of Windows Server 2022. The defaults should contain =~Windows\s*NT.*Edg. since Windows 2016 according to the document found at https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia (so it matches both =~Windows\s*NT.*Edg and =~Windows\s*NT.*Edge), but actually the list only contains =~Windows\s*NT.*Edge. As latest Edge reports as both, Chrome and Edg, the original RegEx does not match. I think the difference between the actual list and the list in the documentation proofs that this is a bug in latest Windows Server 2022.