locked
ADFS 3.0 Mobile devices not being presented with forms authentication on intranet RRS feed

  • Question

  • We have Server 2012 R2 and ADFS 3.0 setup for windows and forms authentication for the intranet policy. However mobile devices (android/iOs) are not being presented with forms authentication when on intranet, instead the page just times out. They are presented forms authentication when coming in as external traffic. 

    below is the current WIASupportedUserAgents property

    MSAuthHost/1.0/In-Domain
    MSIE 6.0
    MSIE 7.0
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0
    Trident/7.0
    MSIPC
    Windows Rights Management Client

    Thursday, December 31, 2015 9:07 PM

Answers

  • Maybe it is failing at another level. Are those devices SNI capable? Do you have a network capture?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Zjones Monday, January 11, 2016 11:04 PM
    Friday, January 8, 2016 3:36 PM

All replies

  • In the event that you allow BYOD clients to connect to your network in the same way that managed clients connect via the AD FS farm (rather than the proxy), then you're limited by the user agent values they pass. In other words, you need to distinguish and limit managed clients to a limited set of WIASupportedUserAgents settings so that other clients defer to forms-based logon. If you support a broad set of user agents for your managed devices beyond IE (e.g. Chrome/Firefox) then your options may be limited.


    http://blog.auth360.net

    Saturday, January 2, 2016 12:08 AM
  • From the list provided from the WIASupportedUserAgents property, would the android or iOs device user agents be considered "supported"?

    To me it seems they would be presented with the forms login, because I don't see any Android, Linux, Mozilla or Apple properties in the WIASupportedUserAgents property list. Am I reading this wrong?

    Example user agent string from my android phone from google chrome app:

    Mozilla/5.0 (Linux; Android 5.1; LG-H810 Build/LMY47D) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36


    • Edited by Zjones Wednesday, January 6, 2016 3:49 PM
    Wednesday, January 6, 2016 3:49 PM
  • Have a look here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/cef5044f-9da7-4356-b11f-7a281796eafd/sso-with-office-365-adfs-logon-web-site-authentication-browser-support?forum=ADFS

    It covers how to enable SSO for Chrome. Tell us if that helps!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, January 6, 2016 4:42 PM
  • Thank you for the article we may use it in the future, but I'm not asking for help to get SSO to work on other browsers other than IE. My issue is that when a mobile device (not a domain computer using an alternate browser) tries to authenticate to our ADFS via an app or mobile web browser, the redirect to the ADFS server times out on the internal network. On external netowrk it works just fine. The mobile device is never presented the option to use the forms login, even though it is checked off in the ADFS 3.0 Global Primary Authentication for internal network.  
    Thursday, January 7, 2016 3:14 PM
  • Maybe it is failing at another level. Are those devices SNI capable? Do you have a network capture?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Zjones Monday, January 11, 2016 11:04 PM
    Friday, January 8, 2016 3:36 PM
  • From what I can tell all devices meet the requirements to have support for SNI. 

    Mobile Browsers

    • Mobile Safari for iOS 4. and later
    • Android default browser on Honeycomb (v3.x) and later
    • Windows Phone 7

    all of the devices I tested are well over these os versions. I have not ran a capture, but I can. I would need help to know what to look for. Do you prefer wireshark or the microsoft network monitor?

    Friday, January 8, 2016 4:15 PM
  • Up to you. They both produce files readable by both products.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 11, 2016 2:39 PM
  • Well I found the issue, it was a routing mistake. The BYOD network was not added to the azure site to site vpn acl. I'm sorry for not checking network connectivity first. I'm going to mark Pierre Audonnet's reply as the answer on getting a capture, because this is what ultimately made me double check the network connectivity. 
    Monday, January 11, 2016 11:04 PM
  • Can you expand on this.  I have the same exact issue.

    Intranet Android devices seems to be presented with forms and WIA, but not accepting forms even though my policy offers both.  

    I have iOS devices that are connecting fine.

    Is all about Cisco spark.  


    Thanks, Matt Alter

    Thursday, January 5, 2017 6:58 PM
  • @Zjones, 

    I have a client who is hitting the exact same issue with our application. 

    When they access ADFS directly over LAN without WAP in between, iOS devices are presented with the ADFS forms but Android devices see blank screen, I can see that they are hitting WIA URl. I have double checked that the android user agent is not added as WIA clients and fall back is configured. 

    Appreciate your inputs. 

    Thursday, June 28, 2018 5:18 AM