ADFS 2016 IE and Edge prompt

Question

We have an on site ADFS 2016 server setup to authenticate clients to web applications. This seems to work fine for browsers other than IE or Edge. When using those browsers the client gets a 401 and gets prompted for their credentials when trying to access the ADFS login page. This version of ADFS doesn't use IIS so there is nothing to set there. We made sure the ADFS DNS entry is an A record. We tried adding the adfs url to the trusted sites in the client browser with no success. Is there something else that needs to be setup for this to work?

Gilligan Gilligan · Accepted Answer · 2017-04-10T18:46:00

This issue may relate to your primary authentication setting in ADFS being set to Windows Authentication. This may be a bit different in Windows 2016, but in 2012 R2, if you open your ADFS console, select Authentication Policies in the left-pane and then Edit Global Primary Authentication in the right-pane, you can see the primary authentication settings for Extranet and Intranet users.

If you would like Windows Authn to be your primary authentication, you may then need to enable Windows Integrated Authentication in IE / Edge. There are a couple of steps for this I can provide if this is your case.

UPDATE: Appears as though this turned out to be Kerberos and SPN issue. Your ADFS machine name and ADFS service name should NOT be the same. The core of the issue I believe is the SPN "HOST/AdfsMachineName" is registered with the AD computer object for the ADFS server and the SPN "HOST/AdfsServiceName" is registered with the ADFS service account. If AdfsMachineName and AdfsServiceName are the same, this causes a duplicate SPN scenario.

ADFS 2016 IE and Edge prompt

2 Answers