none
Newer version of Chrome not working for SSO/ADFS 3.0 RRS feed

  • Question

  • We have ADFS installed on 2012R2 and working fine for accessing an external site using SSO.

    worked originally with IE and also worked fine with Chrome version 59 once I used Set-AdfsProperties to add Mozilla/5.0

    However, as soon as I update the version of Chrome to version 64, it no longer works for SSO and gives me a login box instead. the url for the adfs server was already in the internet zone in IE. I have tried setting ExtendedProtectionTokenCheck  to 'None' and running chrome with the whitelist parameter to enforce the allowing of the ADFS url but still not working.

    I've run out of ideas of things to try. 

    Tuesday, February 27, 2018 4:12 PM

Answers

  • Howdie!

    What is the user agent reported for this new Chrome version? Can you check with a website like https://www.whatismybrowser.com/detect/what-is-my-user-agent ?

    In general, we don't recommend setting ExtendedProtectionTokenCheck to "none" since that's an OS wide Man-in-the-Middle prevention setting. Also, despite the fact that some websites say you should put "Mozilla/5.0" in the allowed browser list, that UAgent can actually catch a number of applications that report as Mozilla/5.0 but don't actually do WIA. You may want to try a UAgent in ADFS that resembles along the lines of "Chrome/" or specific, tested Chrome versions.

    Would Chrome need extra config, such as described here? https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Tuesday, February 27, 2018 7:20 PM
    Moderator
  • In case someone comes across this post and needs the answer.

    On your PRIMARY AD FS server, open Power Shell (Admin Mode):

    Run the following command to add "Chrome" to your list.

    Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)

    Use the command to list all agents authorized.

    Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

    You should have a list similar to this (includes EDGE, Safari and old Chrome)

    MSAuthHost/1.0/In-Domain
    MSIPC
    Windows Rights Management Client
    MSIE 6.0
    MSIE 7.0
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0
    Trident/7.0
    Mozilla/5.0
    Safari/6.0
    Safari/7.0
    Edge/12
    Chrome


    Thursday, November 1, 2018 9:03 PM

All replies

  • Howdie!

    What is the user agent reported for this new Chrome version? Can you check with a website like https://www.whatismybrowser.com/detect/what-is-my-user-agent ?

    In general, we don't recommend setting ExtendedProtectionTokenCheck to "none" since that's an OS wide Man-in-the-Middle prevention setting. Also, despite the fact that some websites say you should put "Mozilla/5.0" in the allowed browser list, that UAgent can actually catch a number of applications that report as Mozilla/5.0 but don't actually do WIA. You may want to try a UAgent in ADFS that resembles along the lines of "Chrome/" or specific, tested Chrome versions.

    Would Chrome need extra config, such as described here? https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Tuesday, February 27, 2018 7:20 PM
    Moderator
  • In case someone comes across this post and needs the answer.

    On your PRIMARY AD FS server, open Power Shell (Admin Mode):

    Run the following command to add "Chrome" to your list.

    Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)

    Use the command to list all agents authorized.

    Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

    You should have a list similar to this (includes EDGE, Safari and old Chrome)

    MSAuthHost/1.0/In-Domain
    MSIPC
    Windows Rights Management Client
    MSIE 6.0
    MSIE 7.0
    MSIE 8.0
    MSIE 9.0
    MSIE 10.0
    Trident/7.0
    Mozilla/5.0
    Safari/6.0
    Safari/7.0
    Edge/12
    Chrome


    Thursday, November 1, 2018 9:03 PM
  • Where should I run this command..I am getting the following error.

    PS C:\windows\system32> Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)


    Get-ADFSProperties : The term 'Get-ADFSProperties' is not recognized as the name of a cmdlet, function, script file,or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct andtry again.At line:1 char:46+ ... t-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Selec ...+                                                ~~~~~~~~~~~~~~~~~~    + CategoryInfo          : ObjectNotFound: (Get-ADFSProperties:String) [], CommandNotFoundException    + FullyQualifiedErrorId : CommandNotFoundException

    Thursday, November 15, 2018 3:55 AM
  •  It is right in the message.  "On your PRIMARY AD FS server, open Power Shell (Admin Mode):" 
    Sunday, May 5, 2019 4:32 PM
  • Hi,

    when I added "chrome" or even "Mozilla/5.0" and tried to open my link , credential box appears asking for credential and not accept any inputs.

    when I remove them , it is redirect me to the adfs web page asking for username/password and accept them.

    note that it is working fine with IE and Edge

    any advise 

    Thanks

    Tuesday, September 3, 2019 11:59 AM
  • Is the issue got fixed? if not try this.

    When you access it should say signed IN, it will behave differently with chrome browser.

    https://your service name/adfs/ls/idpinitiatedsignon.aspx

    Use claims xray to check the authentication with ADFS server  if its successfully, the issue should be with RP configuration( check claims rule).




    Thursday, October 17, 2019 1:15 PM