ADFS 3.0 IWA Browser Clients Support for Firefox and Safari

Mar 27th, 2014

With Windows Server 2012 R2 ADFS 3.0 architecture have some changes, such as, no IIS requirements, etc. With no IIS, most changes will have to be done through PowerShell and java script modifications.

Currently and by design, Integrated Windows Authentication (IWA) is not supported for most browsers such as Chrome, Firefox, and Safari. And because of this, users using any unsupported browser client (By default on IE is supported) for Single Sign-On (SSO), will always be presented with the ADFS logon form for user name and password even if these users are within the internal network.

Here are the steps to add your browser client of choice for IWA. The ADFS Properties for WIASupportedUserAgents and ExtendedProtectionTokenCheck will be modified.

1. On your ADFS 3.0 server, open PowerShell and run as Administrators

2. View the current settings by entering

$FormatEnumerationLimit=-1 #this will expand the list display view


The following value is noted ExtendedProtectionTokenCheck

and WIASupportedUserAgents

#this what you see if $FormatEnumerationLimit=-1 is not used.

#this what you see if $FormatEnumerationLimit=-1 is used.

3. Turn off Extended Protection Authentication (EPA) and Channel Binding Token (CBT)  from “Allow” to “None” by entering:

Set-ADFSProperties –ExtendedProtectionTokenCheck None

4. Add Browser client of choice. in my case, I will enable Firefox version 5.o, Safari version 6.0 and 7.0 by entering:

Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”, “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0”, “Safari/6.0”, “Safari/7.0”) 

The syntax have to correct to get this working properly.

6. Run the commands on step 2 again to see your changes.

7. Restart ADFS service  and you are done.

To rollback any of the above changes, follow same steps and enter the original values from step 2 above.

Be Sociable, Share!
No comments yet.