Desktop SSO on Win10 Domain Joined machines using EDGE browser


[Updated on 12/12: Added more strings for Nov '15 Windows 10 release]

[Updated on 3/3: Added simpler step when you don't have any Windows Phone 10 connecting from inside the corp network]

[Updated on 9/13/16: Added more strings for Jul '16 Windows 10 release - Anniversary Update]

Hello,

With the recent release of Windows 10, I’ve been fielding some questions on SSO being broken and users being prompted with forms authentication when accessing from domain joined machines inside your network.

As you may know, ADFS supports a feature to selectively offer Windows Integrated authentication inside your corporate network based on device/browser. This is done using a white list of user agent string. The key benefits are

  • Desktop SSO after you have logged in from a domain joined machine.
  • Improved experience if you are using devices such as iOS/Android that don’t support seamless Kerberos authentication
  • Improved experience if you are using browsers such as Firefox or Chrome on Windows domain joined machines where the browser is not capable of supporting seamless Kerberos authentication. Please note that in some cases/versions of these browsers, they do support Kerberos authentication, but configuration can be quite cumbersome.

Setting the Configuration for Windows 10 Domain Joined devices

Follow the steps provided at https://technet.microsoft.com/en-us/library/Dn727110.aspx to set the accepted user agent strings. In addition to the list provided in the example, please add the following strings (each line represents an entry)

You have no Windows 10 Phone(s)  that connect from inside your network (simple)

[Windows Phone Edge browser uses similar strings and some versions of Windows 10 Phone do not support NTLM authentication. So, if ADFS tries to do Windows Integrated Auth, this will fail]

Edge/

 

(OR)

 

Windows 10 - Jul '15 Release

Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12

In-Domain

Mozilla/5.0 (Windows NT 10.0; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12

Windows 10 - Nov '15 Release

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/

Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/

Mozilla/5.0 (Windows NT 10.0; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/

Windows 10 - Anniversary Update (Jul '16 release)

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/

Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/

Mozilla/5.0 (Windows NT 10.0; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/

How does it work?

It is quite simple…

  1. When ADFS 2012 R2 receives a request over passive protocols such as WS-Fed, SAML or OAuth Authorize endpoints inside your network, it reads the UA string on the HTTP request.
  2. It compares the UA string to the list that is configured by the admin (or uses the defaults in the system).
  3. If it cannot find a match (‘contains’ match), it then falls back to forms authentication so that the experience is better.

Note: If you have non domain joined windows machines, there are many cases where you will not see forms and instead see a NTLM prompt.

 

Thanks

//Sam (@MrADFS)


Comments (3)

  1. Nutshell30 says:

    Hi Sam,

    Thanks for the info! I have just noted that Edge is now reporting as "Edge/12.10240"

    Should the user string reflect that now?

    Also, just to clear up... the user string "In-Domain" is that for use with a gpo?

    Thanks!

  2. @Nutshell30: You probably have a flighted preview build of the next release of client. I was planning on updating this when client officially release. Will update with the new strings in a few days.

  3. Trond E. Gjelsvik-Bakke says:

    Opening http://www.whatsmyuseragent.com from my Edge, reveal this agent string:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586

    Will Edge/ detect all versions of Edge browser ?

Skip to main content