Dialog to intranet site with username / password instead pin

%3CLINGO-SUB%20id%3D%22lingo-sub-1549592%22%20slang%3D%22en-US%22%3EDialog%20to%20intranet%20site%20with%20username%20%2F%20password%20instead%20pin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1549592%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20reader%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20intranet%20application%20in%20production%20for%20submitting%20printed%20material%20to%20our%20printshops%20which%20uses%20on%20premises%20AD%20authentication.%20(%3CA%20href%3D%22https%3A%2F%2Fwww.canon-europe.com%2Fsoftware%2Fprismadirect%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.canon-europe.com%2Fsoftware%2Fprismadirect%2F%3C%2FA%3E)%3C%2FP%3E%3CP%3ESo%20a%20user%20who%20works%20on%20a%20on%20premises%20joined%20workstation%20or%20VMware%20based%20virtual%20desktop%20and%20wants%20to%20use%20the%20intranet%20application%20does%20not%20need%20a%202nd%20logon%20for%20it.%20It%20works%20well%20with%20Edge%20stable.%3C%2FP%3E%3CP%3EUsers%20on%20AAD%20joined%20intune%20laptops%20(large%20numbers%20in%20the%20current%20situation)%20using%20Edge%20stable%20(and%20Dev%20and%20Beta%20for%20that%20matter)%20are%20prompted%20with%20a%20Windows%20security%20dialog%20box%20like%20below%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Windows%20security%20prompt%20with%20pin.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208378i38ED3909065DAA07%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Windows%20security%20prompt%20with%20pin.png%22%20alt%3D%22Windows%20security%20prompt%20with%20pin.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3EThis%20behaviour%20is%20to%20be%20expected%2C%20and%20not%2C%20at%20the%20same%20time.%3C%2FP%3E%3CP%3EIt%20is%20because%20of%20the%20domain%20is%20different%2C%20and%20thus%20security%20is%20different%2C%20and%20for%20example%20some%20users%20logon%20to%20their%20intune%20laptops%20using%20a%20pin%20instead%20username%20%2F%20password.%3C%2FP%3E%3CP%3EIt%20is%20not%20because%20Edge%20(or%20Windows)%20always%20prompts%20with%20a%20pin%2C%20even%20if%20the%20user%20is%20logged%20on%20with%20username%20%2F%20password.%3C%2FP%3E%3CP%3EIt%20presents%20the%20user%20with%20a%20cryptic%20puzzle%3A%20a%20pin%20does%20not%20work%20on%20the%20intranet%20site%2C%20and%20getting%20there%20is%20awkward.%20The%20user%20must%20click%20%22Meer%20keuzes%22%20(more%20choices)%20and%20then%20%22Use%20other%20account%22%20which%20then%20presents%20the%20dialog%20for%20%22e-mail%20address%20%2F%20password%22%2C%20which%20can%20be%20used.%3C%2FP%3E%3CP%3EChrome%20does%20not%20have%20this%20issue%2C%20using%20different%20authentication%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%3A%20how%20do%20we%20configure%20Windows%20%2F%20Edge%20to%20use%20the%26nbsp%3B%22e-mail%20address%20%2F%20password%22%20choice%20for%20this%20intranet%20app%20or%20better%20be%20more%20intelligent%20with%20it%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EHenno%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1699872%22%20slang%3D%22en-US%22%3ERe%3A%20Dialog%20to%20intranet%20site%20with%20username%20%2F%20password%20instead%20pin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1699872%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400875%22%20target%3D%22_blank%22%3E%40Henno_Keers%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20inquiry.%20When%20Edge%20is%20prompting%20the%20dialog%20you%20have%20screen-captured%20below%2C%20Edge%20is%20trying%20to%20use%20the%20H4B%20(Windows%20Hello%20for%20Business%20pin)%20as%20the%20security%20mechanism%20to%20authorize%20Windows%20to%20release%20the%20primary%20account%20connected%20to%20Windows%20to%20the%20web%20resource.%20So%2C%20in%20this%20case%20with%20your%20AAD%20Intune%20users%2C%20Edge%20is%20allowing%20the%20user%20to%20share%20the%20AAD%20from%20the%20computer%20to%20PRISMAdirect.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EHow%20does%20this%20fit%20with%20your%20expectations%3F%20On%20these%20AAD%20Intune%20computers%2C%20when%20the%20users%20are%20clicking%20%22More%20choices%22%20and%20then%20entering%20a%20username%20and%20password%2C%20what%20account%20are%20they%20entering%3F%20An%20on-prem%20AD%20account%20or%20their%20AAD%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EHappy%20to%20help%20here%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EPalmer%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Dear reader,

 

We have a intranet application in production for submitting printed material to our printshops which uses on premises AD authentication. (https://www.canon-europe.com/software/prismadirect/)

So a user who works on a on premises joined workstation or VMware based virtual desktop and wants to use the intranet application does not need a 2nd logon for it. It works well with Edge stable.

Users on AAD joined intune laptops (large numbers in the current situation) using Edge stable (and Dev and Beta for that matter) are prompted with a Windows security dialog box like below:

Windows security prompt with pin.png

This behaviour is to be expected, and not, at the same time.

It is because of the domain is different, and thus security is different, and for example some users logon to their intune laptops using a pin instead username / password.

It is not because Edge (or Windows) always prompts with a pin, even if the user is logged on with username / password.

It presents the user with a cryptic puzzle: a pin does not work on the intranet site, and getting there is awkward. The user must click "Meer keuzes" (more choices) and then "Use other account" which then presents the dialog for "e-mail address / password", which can be used.

Chrome does not have this issue, using different authentication etc.

 

My question is: how do we configure Windows / Edge to use the "e-mail address / password" choice for this intranet app or better be more intelligent with it???

 

Anyone?

 

Regards,

Henno 

1 Reply

Hi @Henno_Keers,

 

Thanks for your inquiry. When Edge is prompting the dialog you have screen-captured below, Edge is trying to use the H4B (Windows Hello for Business pin) as the security mechanism to authorize Windows to release the primary account connected to Windows to the web resource. So, in this case with your AAD Intune users, Edge is allowing the user to share the AAD from the computer to PRISMAdirect.

 

How does this fit with your expectations? On these AAD Intune computers, when the users are clicking "More choices" and then entering a username and password, what account are they entering? An on-prem AD account or their AAD?

 

Happy to help here :smile:

Palmer