This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 88%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hello, I successfully got SAML setup with ADFS with a third party site. I am attempting to have someone login to windows and access the third party site and auto logins to ADFS. To do this, I read that i needed to enable WIA and make sure the browsers are configured to allow it.
These were the articles I followed:
Below are the articles I followed:
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_preparing_ie_for_adfs.html
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
https://support.classlink.com/hc/en-us/articles/360010601593-ADFS-Windows-Integrated-Authentication-WIA-
When i go to the thirdparty site after making the configurations, I get redirected to our ADFS client page and prompted for signin.
Can someone provide me with some guidance on what i am doing wrong?
see my browser developer info below. I added all browsers and everything that the other articles described
I also setup the SPNS
setspn -s host/{your_Federation_Service_name} {domain_name}{service_account}
I also tried to set the SPNs for HTTP to my adfs federation name as well as the actual adfs server name and no matter which settings i have added, it makes no difference. When you go to the thirdparty site which then redirects you to ADFS, It continues to ask for a login.
setspn -s HTTP/adfsfederationname.com admin
setspn -s HTTP/adfsfederationname admin
I know, me again :)
I'll try to be generic here as it is difficult to answer questions without traces. Sometimes the issue lies in small details that is obfuscated when we anonymize the scenario.
Assuming you are using a supported version of ADFS (2012 R2 or higher), assuming that you mean a WIA prompt and not a web form type of prompt. If what you are getting is a web form it could just the application that is configured to ask for form based auth. And we would see that in a Fiddler trace or browser debug network trace.
So let's review everything if what you get is a WIA prompt.
10. Try to bypass the load balancer if you have any using a HOSTS file to see if the issue is there.
Hello,
No worries. I am glad it is you since I know you helped me before. I just opened up another question because i never got a response.
Also, my apologies that i am now just responding. I was busy on wednesday and then the holiday occurred.
1) It is set
2)I already had this change made but below is the result;
(Get-AdfsProperties).WiaEvaluationMethod
WiaUserAgentDetection
3) I checked and it does appear as an A record
4) Make sure FQDN of the machine where ADFS is installed is different from the FQDN of the ADFS farm (if your ADFS server is adfs.contoso.com you cannot call your farm adfs.contoso.com).
It currently is
5) Get-ADObject -LDAPFilter "(|(ServicePrincipalName=http/adfsfarm(servicePrincipalName=host/adfsservicefarm that I set))"
CN=ADFSService2,CN=Managed Service Accounts,DC=omitted,DC=omitted ADFSService2 msDS-GroupManagedServiceAccount
6) Everyone Has access but I added my ADFSservicegroup as well
7) I think it was set but I ran the command:
PS C:\Users\administrator.CFFSTENV> Set-AdfsProperties -ExtendedProtectionTokenCheck None
Restarted
8) This was already set
9) There is no load balancer
Even after all of these updates and changes, the issue is still occurring. Anything else?
Nope. That's the thing we can do without data.
To go further we need data and by data I mean traces (Fiddler Traces, eventually network traces). You can choose to upload them here (if so make sure you obsfucate passwords from the trace), or you can open a case with the Microsoft support to share data with them directly (cost depends on your support contract - if you have one, or you can do ad-hoc case).
Can you tell me what information in fiddler you need?
At this point, I'll need the actual trace, it will avoid the multiple back and forth.
The more data you can provide at once and the faster we can dig into the root cause.
I understand if you don't feel comfortable sharing that data online (because you wish to keep URL, machine names and IP address confidential). In that case you would open a support case to have a secure share to send the traces.
You can try to repro your configuration in a lab envionment (I cannot repro on my labs) and take a trace there is the issue is also there.
I have never used this before. Do i need to decrypt https traffic? Do i export the individual session pertaining to that site? Any recommendations for keeping it secure when posting it to you?
Yes you will need to enable the HTTPS decrypt.
Usually, you need to make sure it doesn't contain password. But since you are prompted, you are not authenticated. So there will be not passwords in the trace.
Also, when you are prompted and you enter username and and a password, does it work? Or does it loop?
Ok. I will work on getting a trace to you in the hopes that this will give you more information.
I am currently not authenticated by browser.
When i am prompted and enter a username, it does work. It does not loop. Once i enter my credentials, I get logged in. The problem does not appear to be authentication, rather the browser(any of them) not acknowledging that IWA is setup and supposed to be used. Are there any other commands that I can run that would give you more information?
There are multiple tabs of info. Is there a specific tab that will have information or do i need to export the session?