Problem
You’ve noticed that access the ADFS authentication portal from the internal network with Internet Explorer via the internal farm (not WAP) displays the Windows Security login prompt instead of the form webpage authentication:
Navigating to the same sign on page through the ADFS Web Application Proxy from the internet displays the expected webpage form authentication:
Solution
In order for allow clients on the internal network to authenticate via the webpage form based authentication, the ADFS URL needs to be added to the Local Intranet zone for Internet Explorer:
**Note that the environment used in this example has a GPO configured that locks out the user from adding sites to the Local intranet.
To correct this issue with a GPO that you can apply globally in the organization, you will need to decide whether the Group Policy should:
- Add the site *and* prevent users from adding sites
- Add the site *and* allow users to add additional sites
If #1 is the desired affect then create or append to a GPO that is applied to the user accounts with the settings:
User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List
Then add the ADFS URL into the Value Name and 1 as the Value.
The GPO will add the site into the Intranet Site and disallow the user from adding more sites:
Using the Computer policy because the latter gray’s out the zones and prevents the users from knowing or adding sites to the zones.
If #2 is desired then create a Group Policy Preferences Registry Extension then configure the following:
Hive: HKEY_CURRENT_USERS
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.com\fs
Value name: http
Value type: REG_DWORD
Value data: 00000001
For reference, the following are the Value data for the other zones:
Value | Zone Name |
00000000 | My Computer |
00000001 | Local Intranet |
00000002 | Trusted Site |
00000003 | Internet |
00000004 | Restricted |
**Note that native group policy settings will take precedence over Group Policy Preferences so if the Site to Zone Assignment List is configured then it will override (not merge) the registry settings.
No comments:
Post a Comment