Home

adfs and wia fallback

%3CLINGO-SUB%20id%3D%22lingo-sub-994738%22%20slang%3D%22en-US%22%3Eadfs%20and%20wia%20fallback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-994738%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecurrent%20setup.%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20login%20to%203rd%20party%20web%20app%20using%20ADFS%3C%2FP%3E%3CP%3E2.%20WIA%20works%20from%20domain%20joined%20clients%20on%20LAN%3C%2FP%3E%3CP%3E3.%20all%20external%20clients%20login%20using%20forms%20based%20og%20login%20page%20on%20ADFS%3C%2FP%3E%3CP%3E4.%20internal%20non-domain%20joined%20clients%20and%20iPads%2FMacs%20won't%20fallback%20to%20username%2Fpassword%20on%20internal%20LAN%2C%20and%20will%20somehow%20go%20directly%20to%203rd%20parties%20web%20app%20showing%20Accecss%20Denied%3C%2FP%3E%3CP%3E5.%203rd%20party%20web%20app%20is%20configured%20to%20use%20WIA%20when%20auth%20request%20comes%20from%20our%20LAN%20public%20IPs%2C%20and%20password%20protect%20when%20it%20comes%20from%20any%20other%20public%20IPs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem.%3C%2FP%3E%3CP%3E1.%20having%20non-domain%20joined%20clients%2C%20and%20non%20windows%20systems%20fallback%20to%20username%2Fpassword%20auth%20when%20on%20LAN%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETroubleshooting%20steps%20taken%3C%2FP%3E%3CP%3E1.%20get-AdfsGlobalAuthenticationPolicy%3C%2FP%3E%3CP%3EPrimaryIntranetAuthenticationProvider%20-%20(FormsAuthentication%2C%20WindowsAuthentication)%3C%2FP%3E%3CP%3EWindowsIntegratedFallbackEnabled%20-%20True%3C%2FP%3E%3CP%3E2.%20added%20Chrome%20iOS%20agent%20to%20supported%20agents%20(Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OSX)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20this%20have%20to%20be%20tweaked%20at%203rd%20party%20web%20app%20aswell%3F%26nbsp%3B%3CBR%20%2F%3EWe%20have%20other%203rd%20party%20systems%20configured%20and%20they%20work%20with%20WIA%20fallback%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-994738%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECommunity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011780%22%20slang%3D%22en-US%22%3ERe%3A%20adfs%20and%20wia%20fallback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011780%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451673%22%20target%3D%22_blank%22%3E%40Jakob_Di%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EHello!%20You've%20posted%20your%20question%20in%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FCommunity-Discussion%2Fbd-p%2FCommunityQuestions%22%20target%3D%22_blank%22%3ECommunity%20Discussion%20space%3C%2FA%3E%2C%20which%20is%20intended%20for%20discussion%20around%20the%20Tech%20Community%20website%20itself%2C%20not%20product%20questions.%20I'm%20moving%20your%20question%20to%20the%26nbsp%3BWindows%20Server%20space-%20please%20post%20Windows%20Server%20questions%20here%20in%20the%20future.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jakob_Di
Occasional Visitor

Hi

 

current setup. 

1. login to 3rd party web app using ADFS

2. WIA works from domain joined clients on LAN

3. all external clients login using forms based og login page on ADFS

4. internal non-domain joined clients and iPads/Macs won't fallback to username/password on internal LAN, and will somehow go directly to 3rd parties web app showing Accecss Denied

5. 3rd party web app is configured to use WIA when auth request comes from our LAN public IPs, and password protect when it comes from any other public IPs

 

Problem.

1. having non-domain joined clients, and non windows systems fallback to username/password auth when on LAN

 

Troubleshooting steps taken

1. get-AdfsGlobalAuthenticationPolicy

PrimaryIntranetAuthenticationProvider - (FormsAuthentication, WindowsAuthentication)

WindowsIntegratedFallbackEnabled - True

2. added Chrome iOS agent to supported agents (Mozilla/5.0 (Macintosh; Intel Mac OSX)

 

Will this have to be tweaked at 3rd party web app aswell? 
We have other 3rd party systems configured and they work with WIA fallback

1 Reply

@Jakob_Di

Hello! You've posted your question in the Community Discussion space, which is intended for discussion around the Tech Community website itself, not product questions. I'm moving your question to the Windows Server space- please post Windows Server questions here in the future. 

Related Conversations
AD+ADFS+AAD
Taen keren in Azure on
1 Replies
ADFS 4.0 and Office 365 - Internal CA
Enrico Giacomin in Office 365 on
3 Replies
Azure AD Connect and ADFS Firewall ports
Michele Casazza in Azure Active Directory on
2 Replies