Allow AD FS to fall back to Forms-based authentication if Windows Integrated Authentication fails
Currently, if a browser-based user comes to the AD FS sign-in page, AD FS can only decide whether to use integrated authentication by looking at the browser's user agent string. However, t
There are cases where not all users arriving at the AD FS sign-in page can perform a Kerberos login - they might be within the IP range of the "internal" part of AD FS (in a split-brain DNS configuration) but the client may not be domain joined for various reasons, for example wireless users using BYOD. For these users Kerberos fails and it falls back to NTLM/Basic auth methods. The user receives an ugly popup box asking for credentials, with no context, branding, or guidance.
It would be better if this user was instead directed to the forms-based authentication method instead so that they received a recognisable sign-in experience (i.e. the same as if they were accessing externally).
Previously, this could be mostly worked around by setting a custom useragent string for IE and using AD group policy to push it out to all domain-joined devices, however, with the move to Windows 10 and Edge as the preferred browser, this is no longer possible (Edge does not have a customisable useragent string), so a choice needs to be made between turing on WIA for all users and accept that non-domain-joined devices will have a poor sign-in experience, or turn off WIA for all users except thouse using IE11 (dwindling population).
Possible solutions in order of preference:
1. Find a way to fall back to Forms-based auth if Kerberos fails
2. Often inability to perform WIA can be location-related, so introduce a new setting that would blackist certain network segments as being non-WIA compatible, and default to Forms-based for users accessing from those IP ranges
3. Allow Edge to have a customisable user_agent string controlled by group policy
Bertrand Gauthy commented
Do you have news about this implementation ?
Samuel Devasahayam [MSFT] commented
We nearly added this in 2019 but had a set of issues that we had to pull it back. On our backlog
Anony Moose commented
Failing back to HTML Form would solve a lot of problems for implementers.
PingFederate has this functionality in it's composite adapter.
Bill Canning commented
I like this idea, but I'm not sure it can work as described because WIA is in the hands of the browser. If the browser looks like it should be able to do WIA, ADFS sends an appropriate 403 error which the browser can interpret to mean to do WIA.
I think I would be happy if AD FS supported a KioskUserAgents setting. If ADFS detects a user agent that is in the KioskUserAgents list, it forces forms-based authentication, regardless of the browser type. This would allow kiosks to be on the internal network, get a user agent set via GPO, and be easily configured to always do form-based authentication.