ADFS 3 (Server 2012 R2) and Chrome (Network Steve Forum)

ADFS 3 (Server 2012 R2) and Chrome

Hello,

I just recently installed ADFS v3 on a new Server 2012 R2 instance. I have two ADFS servers in a farm, with 2 ADFS proxy servers, each using Windows Server Network Load Balancer.

Currently, we are federating to Office 365 and everything seems to be working great for our Internet Explorer users, however people that use Chrome seem to be having multiple issues logging in. We are seeing the following symptoms with chrome:

1. Internally, Chrome users are not automatically logged in. I have tried setting the executing the following command on the ADFS farm, but the issue still persists: Set-ADFSProperties -ExtendedProtectionTokenCheck "None"

2. Users using chrome cannot sign in at all, both trying through the proxy and the internal ADFS server directly. When entering mydomain\myusername or myusername@mydomain.com, my password, and hit Sign In, the page simply "refreshes" and does nothing. I don't see any errors or warnings inside of event viewer on both the proxy or internal ADFS farm, so not quite sure what is happening.

I have tried running the Office 365 Single Sign-On Test from https://testconnectivity.microsoft.com/ and everything comes back successful, so I think this is a direct issue with ADFS 3 and Chrome.

Any ideas?

Thanks in advance!

Changed type Michael ShaoMicrosoft contingent staff, Moderator Friday, January 03, 2014 5:01 AM google chrome related

December 27th, 2013 11:42pm

Hi,

As this worked with IE users, I consider this issue is mostly related with google chrome, and there is no detailed solution from Windows side to solve this issue for 3th party products. So I would recommend that you contact Google support for further investigation.

Your understanding is highly appreciated.

Google Chrome Forum

http://productforums.google.com/forum/#!forum/chrome

Best Regards,

Michael

Free Windows Admin Tool Kit Click here and download it now

December 30th, 2013 1:36am

Replying back to add in a link to my Google Chrome post for reference.

https://productforums.google.com/forum/#!msg/chrome/V9Z43Y4m6Ow/FXWp5n9lhXAJ

December 30th, 2013 2:30pm

I had the same issue - the only way I found around it was to turn off extended protection in IIS

To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> lsclick the Authentication icon, then right-click Windows Authentication and select On the Advanced Settings dialog, choose Off for Extended Protection

Free Windows Admin Tool Kit Click here and download it now

December 30th, 2013 3:28pm

I had the same issue - the only way I found around it was to turn off extended protection in IIS

To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> lsclick the Authentication icon, then right-click Windows Authentication and select On the Advanced Settings dialog, choose Off for Extended Protection

December 30th, 2013 3:30pm

ahh okay - I've not tested ADFS 3 yet...sorry I can't be of further help here.

Free Windows Admin Tool Kit Click here and download it now

December 30th, 2013 3:32pm

This ticket may be dead but I thought I'd reply since there appears to be no good answer.

Try this:

1. Disable Extended Protection in ADFS 3.0

Set-ADFSProperties ExtendedProtectionTokenCheck None

2. Enable Chrome as a valid User Agent for NTLM authentication

Set-ADFSProperties -WIASupportedUserAgents @(MSIE 6.0, MSIE 7.0, MSIE 8.0, MSIE 9.0, MSIE 10.0, Trident/7.0, MSIPC, Windows Rights Management Client, "Mozilla/5.0")

You may also need to add others (such as Mozilla/4.0), I've gotten away with only "Mozilla/5.0" though.

March 6th, 2014 11:05pm

You need to do:

Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0")

Free Windows Admin Tool Kit Click here and download it now

March 10th, 2014 10:40am

I'm having the same problem.. Logon works in Internet Explorer (IWA), but not with browsers ehere IWA is disabled. It does not work on Windows Phone 8.1.

My setup is ADFS 2012 R2 + proxy, all windows updates are installed. I'm getting the same symptoms as you where the page simply "refreshes" and does nothing. No errormessages anywhere..

Did you ever figure this one out? I don't want to enable IWA for chrome and firefox, because my IT-department don't want to add/manage the necessary configuration for those browsers

June 26th, 2014 7:49am

See this post. My problem was related to custom claims transformation rules under "acceptance transform rules" I tried to do some fancy stuff with the UPN-claim, but it looks like ADFS needs the UPN-claim and it must be in format "adusername@domain"..

Free Windows Admin Tool Kit Click here and download it now

June 26th, 2014 12:28pm

For me it worked!!!

July 22nd, 2014 9:08am

Dont you think by disabling ExtendedProtectionTokenCheck is a security threat?

Free Windows Admin Tool Kit Click here and download it now

November 12th, 2014 3:49pm

I found the following Chromium issue where this problem is discussed:

https://code.google.com/p/chromium/issues/detail?id=270219

July 24th, 2015 3:29am

This topic is archived. No further replies will be accepted.