ADFS 3.0: Chrome users repeteadly prompted for credentials

This error is related with the error in ADFS 2.0 in the post: https://sharepointrescue.wordpress.com/2015/11/05/adfs-2-0-chrome-users-repeteadly-prompted-for-credentials/

But in this case we are working with ADFS 3.0 so we don’t use IIS anymore, but there are other default settings working against Our Chrome users, so lets have a look at what we need to change.

Chrome only uses NTLM Authentication, so first we need to allow this by setting the ExtendedProtectionTokenCheck to None.

Set-ADFSProperties –ExtendedProtectionTokenCheck None

Then we need to alter the current list of supported user-agents for NTLM, which basicly means we need to allow Chrome within the list of browser we want to support. Get the list over allready supported browsers:

Get-ADFSProperties | Select  -ExpandProperty WIASupportedUserAgents

It will show a list of supported browser which by default is:

adfschrome-300x134

Then we add all these and Chrome, or to be Clear, we add what ADFS think Chrome is:

Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0″, “MSIE 7.0″, “MSIE 8.0″, “MSIE 9.0″, “MSIE 10.0″, “Trident/7.0″, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0“)

Which is Mozilla v5.0, then restart the Active Directory Federation Service to use the changes.

Advertisements

ADFS 2.0: Chrome users repeteadly prompted for credentials

Hi all!

Recently I came across into an issue related with ADFS2.0, SharePoint 2013 and Chrome. The problem was that I configured SharePoint to work with ADFS, it seems that all worked well, I tested the web application with IE and works well. But, for my surprise, when I tried to test the Web Application with Chrome it prompted the credentials several times until it shows the message of “Access Denied”

At the beggining I was stuck with the problem and also I was doubting from my initial configuration, so I tried again with IE in another web application and it worked well. First match ball saved.

So, again, I configured another time the web application to work with adfs, I tested again with IE and it worked, but when I tried with Chrome, the same behaviour as before.

So I started to dig about it, and I found 2 KB’s of Microsoft explaining the problem and possible solutions: https://support.microsoft.com/en-us/kb/2709891 and https://support.microsoft.com/en-us/kb/2461628

The first solution is to configure in each registry of the computer that experienced that problem with Chrome the following:

1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa

2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-clickLsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.

3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).

4. Click OK and close Registry Editor.

The second solution is not recommended by Microsoft, but it is still valid.

Execute the following command to disable Extended Protection TokenCheck (See notes for what this is at the bottom of this article)

  1. Set-ADFSProperties –ExtendedProtectionTokenCheck None
  2. Restart the Active Directory Federation Services service on each of the ADFS farm servers for the changes to take effect.  You do not need to make any changes to the proxy servers.

Notes
ExtendedProtectionTokenCheck – Copied directly from technet – Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client’s credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients.  http://technet.microsoft.com/en-us/library/ee892317.aspx

The other option is in the ADFS server, change the following:

Open IIS Management and browse Down to the LS Site. Open Authentication and choose Windows Authentication. Then Advanced Settings in Your right sidebar:

adfsiis2

Set Extended Protection to Off.

After I made one of these changes, I was able to login to the Web Application with Chrome

Hope it helps!