Pages

Saturday, May 16, 2020

Logging onto ADFS portal from internal network with Internet Explorer displays a Windows Security login prompt instead of the form webpage authentication

Problem

You’ve noticed that access the ADFS authentication portal from the internal network with Internet Explorer via the internal farm (not WAP) displays the Windows Security login prompt instead of the form webpage authentication:

image

Navigating to the same sign on page through the ADFS Web Application Proxy from the internet displays the expected webpage form authentication:

image

Solution

In order for allow clients on the internal network to authenticate via the webpage form based authentication, the ADFS URL needs to be added to the Local Intranet zone for Internet Explorer:

image

image

**Note that the environment used in this example has a GPO configured that locks out the user from adding sites to the Local intranet.

To correct this issue with a GPO that you can apply globally in the organization, you will need to decide whether the Group Policy should:

  1. Add the site *and* prevent users from adding sites
  2. Add the site *and* allow users to add additional sites

If #1 is the desired affect then create or append to a GPO that is applied to the user accounts with the settings:

User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List

Then add the ADFS URL into the Value Name and 1 as the Value.

image

The GPO will add the site into the Intranet Site and disallow the user from adding more sites:

image

Using the Computer policy because the latter gray’s out the zones and prevents the users from knowing or adding sites to the zones.

If #2 is desired then create a Group Policy Preferences Registry Extension then configure the following:

Hive: HKEY_CURRENT_USERS

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.com\fs

Value name: http

Value type: REG_DWORD

Value data: 00000001

image

For reference, the following are the Value data for the other zones:

Value

Zone Name

00000000

My Computer

00000001

Local Intranet

00000002

Trusted Site

00000003

Internet

00000004

Restricted

**Note that native group policy settings will take precedence over Group Policy Preferences so if the Site to Zone Assignment List is configured then it will override (not merge) the registry settings.

No comments: