Introduction


Using claims aware applications on a shared computer or kiosk adds additional challenges for configuration.  One common challenge faced by administrators is with users gaining access to applications as the previous user.

Scenario:
- User A browses to a claims aware application and is redirected to AD FS for authentication
- User A is prompted for authentication (Windows Integrated Authentication specifically), enters their credentials, and is directed back to the application
- User A is finished and clicks the logout button which logs them out of the application and AD FS
- User A leaves the browser session active and User B starts to use the same browsing session
- User B browses to the same application and is redirected to AD FS for authentication
- User B is not prompted for authentication. 
- Instead the browser sends User A's credentials automatically, and the user is redirected back to the application and is logged in as User A.


Why this occurs

Internet browsers will cache the credentials of a user during the same browsing session and will automatically try these credentials before prompting the user again.  In this case, the browser has no way to know that a different user is now using the workstation.

If User A had closed the browser, this would not occur.  Educating users to close the browser is one method to combat this, but it is not always practical.

Configuration Options

One option would be to change the default authentication type to forms based authentication.  When using forms based authenticaiton, the browser will not autmatically send the credentials so this situation is avoided.  The downside to this configuration is that all users will be prompted for authentication and users will lose the single sign on experience.  You can find the instructions on how to do this here

Another option would be to redirect the shared comptuers and kiosks to the AD FS 2.0 Proxy server.  The default authentication type on the AD FS 2.0 Proxy server is forms based authentication.  This can be accomplished by putting a host file on each shared computer that points the DNS name of the federation server to the proxy server.  The downside to this configuration is the managability aspect as each administrator must put the host file on every shared workstation.

Keep in mind that both of these configuraiton options still require the user actually log out of the application & federation service.