Device authentication controls in AD FS
The following document shows how to enable device authentication controls in Windows Server 2016 and 2012 R2.
Device Authentication controls in AD FS 2012 R2
Originally in AD FS 2012 R2 there was one global authentication property called DeviceAuthenticationEnabled that controlled device authentication.
To configure the setting, the Set-AdfsGlobalAuthenticationPolicy cmdlet was used as shown below:
PS:\>Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationEnabled $true
To disable device authentication, the same cmdlet was used to set the value to $false.
Device Authentication controls in AD FS 2016
The only type of device authentication supported in 2012 R2 was clientTLS. In AD FS 2016, in addition to clientTLS there are two new types of device authentication for modern devices authentication. These are:
- PKeyAuth
- PRT
To control the new behavior, the DeviceAuthenticationEnabled property is used in combination with a new property called DeviceAuthenticationMethod.
The device authentication method determines the type of device authentication that will be done: PRT, PKeyAuth, clientTLS, or some combination. It has the following values:
- SignedToken: PRT only
- PKeyAuth: PRT + PKeyAuth
- ClientTLS: PRT + clientTLS
- All: All of the above
As you can see, PRT is part of all device authentication methods, making it in effect the default method that is always enabled when DeviceAuthenticationEnabled is set to $true.
Example: To configure the method(s), use the DeviceAuthenticationEnabled cmdlet as above, along with new property:
PS:\>Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationEnabled $true
Note
In AD FS 2019, DeviceAuthenticationMethod can be used with the Set-AdfsRelyingPartyTrust command.
PS:\>Set-AdfsRelyingPartyTrust -DeviceAuthenticationMethod ClientTLS
Note
Enabling device authentication (setting DeviceAuthenticationEnabled to $true) means the DeviceAuthenticationMethod is implicitly set to SignedToken, which equates to PRT.
PS:\>Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationMethod All
Note
The default device authentication method is SignedToken. Other values are PKeyAuth,ClientTLS, and All.
The meanings of the DeviceAuthenticationMethod values have changed slightly since AD FS 2016 was released. See the table below for the meaning of each value, depending on the update level:
| AD FS version | DeviceAuthenticationMethod value | Means |
|---|---|---|
| 2016 RTM | SignedToken | PRT + PkeyAuth |
| clientTLS | clientTLS | |
| All | PRT + PkeyAuth + clientTLS | |
| 2016 RTM + up to date with Windows Update | SignedToken (changed meaning) | PRT (only) |
| PkeyAuth (new) | PRT + PkeyAuth | |
| clientTLS | PRT + clientTLS | |
| All | PRT + PkeyAuth + clientTLS |