none
Internet Explorer 11 ADFS Certificate Credential Dialog opens behind browser. RRS feed

  • Question

  • L.S.

    For a customer we've created a website that has an ADFS login via a certificate installed on the client's computer. With Edge and Chrome, a dialog pops up to select the certificate. With IE11, the dialog pops up, but it's behind the browser. Most users don't even see the dialog that popped up and click the login button again, resulting in a 403. This is a major issue for our customer. How can we make sure the dialog pops up on top of IE11 like it does with Edge and Chrome?

    Regards,

    Joost

    Wednesday, January 3, 2018 4:10 PM

All replies

  • Hi Joost,

    Windows and IE versions?

    Which IE security zone does the domain map to? (File>Properties menu in IE)

    Have you tried in NoAddons mode (start>run>iexplore.exe -extoff).....

    IE has its own popup blocker built-in to the browser, there is no need for more from third-party vendors.... Scripted windows outcomes also depend on which IE security zone a domain is mapped to.

    The google toolbar addon for MSIE has additional popup blocker, form filler, search box, and phishing filter(site verification) that you no longer need (since these functions are already built-in), so you can safely uninstall the GTB and use the built-in IE features.

    If possible include links to problem websites with your questions.

    Regards.

    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers or to raise a question, it's highly recommended you head on over to http://answers.microsoft.com/en-us


    Rob^_^

    Monday, January 8, 2018 3:03 AM
  • I didn't find any kind of dialogue box behind the internet explorer 11. 
    Monday, January 8, 2018 7:06 AM
  • Hi Rob,

    As pointed out, the clients of our customer experience this. So I assume various versions of windows. But all are with IE11 as described in the title and ticket. I'm not talking about pop-ups here. I'm talking about a security dialog. The browser has to read a PFX certificate, so basically needs access to the client's local certificate repository. I've been able to reproduce this problem on a Windows 10 (64-bit) machine with IE11.

    Here is the link where the problem occurs, but mind you, you can only reproduce if you have a certificate installed on your computer. Browse to: https://www.rdw.nl/zakelijk/inloggen and click the button "Inloggen met certificaat".

    Kind regards,

    Joost


    • Edited by Joost Bollen Monday, January 8, 2018 10:18 AM Made the link clickable
    Monday, January 8, 2018 10:06 AM
  • Hi,

    the button form has no action or target attributes.

    <form method="post" >
    <input class="btn btn--primary" type="submit" value="Inloggen met certificaat"/>
    </form>

    Probably your clients have place your domain in their IE Trusted sites list and the security zone setting "Prevent navigation into a zone of lower integrity" prevents navigation into the same window.

    I would guess that the common client setting is that they have placed https://www.rdw.nl in their IE trusted sites list.

    a workaround may be to use action="https://www.rdw.nl " target="_blank" (viz: the certificate root folder).

    or

    If your clients use your site in conjunction with their intranet web sites, map https://*.rdw.nl to their Intranet IE security zone.

    Best practices suggest that you should isolate your credential verification to its own folder on your servers' directory structure.

    see https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

    Regards.


    Rob^_^

    Monday, January 8, 2018 10:58 PM
  • Hi Rob,

    Thanks for your reply. The button works with Microsoft ADFS magic. Meaning it does a post request to the server which has the ADFS settings, which result in a redirect to the trusted issuer of the customer (based on the settings). So no, there is no trusted domain. As I said before, the dialog I am talking about is not a pop-up. It is a security dialog prompted by the OS.

    With all due respect, everything you're pointing at is not in this direction and also does not explain why it does work perfectly fine on Edge or Chrome. My suspect is, this is a bug with Internet Explorer 11, where they've set their Z value too high. We are Microsoft Gold partner, but their regular support had no idea how to handle this bug so they said I should try the techforum.

    Kind regards,

    Joost



    Tuesday, January 9, 2018 8:46 AM