Tuesday, May 08, 2012

ADFS : Beware automatic WIA (Windows Integrated Authentication)

 

IE has the neat feature that if you are on the Intranet and you navigate to a site that requires authentication, IE checks if you have a Kerberos ticket (derived from when you logged into your desktop) and, if so, logs you in under the hood.

The problem when you are playing around with ADFS and WIA is that you can’t tell if the site you are going to logged you in automatically or if you have somehow removed or screwed up the authentication option!

There are a number of workarounds:

  • Use Firefox (which by default doesn’t do this).
  • IE / Tools / Internet Options / Security / Local Intranet Zone / Custom / Scroll down to User Authentication – Logon and ensure that “Automatic logon only in Intranet zone” is not enabled.

Note: You can configure Firefox to support WIA – refer Firefox supports Integrated Windows Authentication.

Enjoy!

No comments: