Windows Integrated Authentication, ADFS 3 any browser / Windows and Mac

[Dieselboy]

I have the following:
Windows Server 2012 ADFS 3.0 SAML SSO server
Windows 2012 AD/DNS

Windows laptops running Windows 7 and Windows 10 with a mixture of browsers, Chrome / Firefox / IE11 / I have seen one person use EDGE and I said it's rubbish use Chrome

Apple Mac laptops with Safari / Chrome

I have Windows Integrated Authentication working for the following::
Windows: Chrome / IE11

Mac: Safari

I have Firefox working on Windows too but I had to change the firefox client config, and specify the SSO URL. In the browser type about:config and change: network.automatic-ntlm-auth.trusted-uris
my sso site is "https://sso.company.com" so I simply typed in "sso.company.com" and now firefox works fine.

1. Why doesn't chrome work for WIA on the mac, when Safari works fine? :/

2. Why do I have to manually update every Firefox browser client to support WIA? :/

In ADFS, I made one change to support Chrome (well, any browser sending ID of "Mozilla/5.0" - I think Chrome/Safari and Firefox all use this)

Code Select Expand


Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Mozilla/5.0')

There's lots of info online to say disable "-ExtendedProtectionTokenCheck" but they are over a year old and I've tried it but there's no difference. I think the browsers now support this.

Any ideas? :/

[deanwebb]

Oh mercy! A client issue! BROWSER WARS!!! AIIIEEEE!!!



Here's what we do: if someone opens up an internal SSO site with an unsupported browser (anything but Safari/IE11), the SSO site forces a transition and opens itself in the appropriate browser. I found this out yesterday when I hit it with Chrome. Fired up an IE session and let me SSO on in... Might want to look into that instead of maintaining tons of browser compatibilities.

[Dieselboy]

Yea that sounds good. How'd you do that then?

I posted on a microsoft tech forum and they've advised I run a fiddler trace to see what's happening. My guess is that google chrome for mac has a different code train compared to google chrome for windows so there's feature disparity between them

[deanwebb]

To be sure, I didn't do it. Some app writer or web developer handled that business.

[Dieselboy]

What you need to do is "view source" and then highlight all the relevant bits then press CTRL+C.
Lastly, come back to this thread and click reply, then in the box press CTRL+V keys on the keyboard and click post.

Once you done that, a golden holy grail will appear, filled with the finest red wine money can't buy. Monty Python will also pop out from behind the corner of a wall and tell you something funny


In all seriousness, I can understand how you can detect which browser is being used, then I guess if browser is *something else* then redirect to another link. But to launch a new browser means loading an app on the remote computer. This would normally be a security risk, so you would need to push GPO to the machines to bypass all the warnings that would prevent that from happening.

Does it work with Macs?

[deanwebb]

Don't know about the Macs for sure, as I don't have access to one.

Tried the view source trick, but the chrome tab got CLOSED as the IE page opened. DUN DUN DUNNNNN!


Got some crazy juju running on our SSO web pages...