This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 97%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Per AD FS documentation:
I should be able to configure primary authentication method per Relying Party Trust. Some applications we want to log in to with certificate, and some with username and password. It appears that this was removed in ADFS 2016. Was the functionality completely removed or is this still achievable through a different menu or Powershell command?
Do you need more clarifications?
It was never removed. It was never there.
The only option per relaying party trust is to enforce re-authentication. There is even a screen shot in the document you post that clearly shows that it is the only option.
There is a long running thread here with all the info: https://social.technet.microsoft.com/Forums/en-US/e0f81720-6450-44ce-a530-6b9136b39b58/authentication-method-for-per-relying-trust?forum=ADFS#0626dd1a-6a6a-48ab-89d9-f191505eab49.
In case that link goes offline, here is the content:
tl;dr This was never taken out from the GUI or from the PowerShell module. It was never in the GUI nor in the PowerShell module.
It was NOT possible in 2012 R2, it is not possible in 2016, it is not possible in 2019. There must be a confusion there. I am not sure where it is coming from.
The primary authentication policy was and still is a farm-wide settings and the only option available at the RP level was to force re-authentication. And that is what the documentation that has been pointed out three times says: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies#to-configure-primary-authentication-per-relying-party-trust "Users are required to provide credentials each time at sign in." Please have a look. And the previous version of that document back in 2017 also states the same: https://web.archive.org/web/20170829040751/https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies
This is what it looks like in the GUI in Windows Server 2012 R2:
That said. You can configure your application trusing ADFS to request for a specific authentication method. But this setting is on the application side. NOT at the ADFS level. For example, if you have an application using WS-Federation on IIS, you can configure the web.config file in such way that the redirect to ADFS will have the authentication method embeded to it:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://adfs.verenatex.com/adfs/ls/" realm="https://web.verenatex.com/sample/" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" requireHttps="true" />
<cookieHandler requireSsl="true" />
</federatedAuthentication>
In the example above, the authentication method will be urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient and as long as this method is enabled in the global authentication policy at the farm level, the user will be prompted to pick a certificate for authentication (that is what this URI is about, TLS auth). But it could have been asking for form based authentication with the URI: urn:oasis:names:tc:SAML:2.0:ac:classes:Password (although password based one is the less secure, you could configure your app that way as long as form based is enabled on the global policy).
For SAML2 applications, the authentication method can be asked in the RequestedAuthnContext section of the SAML request:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="
...
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Of course that would work only for the SP-Initiated flow.
Those two methods are to be deployed on the application side. NOT at the ADFS level. And it is documented that way.
Now if you feel that it does not work for you and you'd rather change how the product works, you can channel your feedback to the product group using this channel: https://windowsserver.uservoice.com/forums/304621-active-directory/suggestions/35823295-specify-primary-authentication-method-per-relying you see the request already exists but does not have a lot of votes. If that goes up, it might change in the next version.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 22%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
You shared a screenshot from 2012 R2. Is there a similar setting in 2019 anywhere? I have an app that sometimes is used by shared devices so I want it to prompt for credentials every time. The only non-shared devices are using WIA so prompting every time is fine.
Nothing has changed. You can do the things suggested in the answer.
You shared a screenshot from 2012 R2. Is there a similar setting in 2019 anywhere? I have an app that sometimes is used by shared devices so I want it to prompt for credentials every time. The only non-shared devices are using WIA so prompting every time is fine.
Is there a similar setting in 2019 anywhere?
What do you mean? If you are looking for the feature the original poster is looking for, again it does not exist and never did.
I mean the screenshot that you shared from 2012 R2, that shows an option of "Users are required to provide credentials each time at sign in)". That sounds like a feature that I want. Is it possible in 2019?
I don't need it per application or per relaying party trust.
Yes. Please create a new post that the answer will be easy to look up for other users.
I'll post the guidance there.