Logging onto ADFS portal from internal network with Internet Explorer displays a Windows Security login prompt instead of the form webpage authentication

Problem

You’ve noticed that access the ADFS authentication portal from the internal network with Internet Explorer via the internal farm (not WAP) displays the Windows Security login prompt instead of the form webpage authentication:

80

Navigating to the same sign on page through the ADFS Web Application Proxy from the internet displays the expected webpage form authentication:

79

Solution

In order for allow clients on the internal network to authenticate via the webpage form based authentication, the ADFS URL needs to be added to the Local Intranet zone for Internet Explorer:

78

77

**Note that the environment used in this example has a GPO configured that locks out the user from adding sites to the Local intranet.

To correct this issue with a GPO that you can apply globally in the organization, you will need to decide whether the Group Policy should:

  1. Add the site *and* prevent users from adding sites
  2. Add the site *and* allow users to add additional sites

If #1 is the desired affect then create or append to a GPO that is applied to the user accounts with the settings:

User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List

Then add the ADFS URL into the Value Name and 1 as the Value.

76

The GPO will add the site into the Intranet Site and disallow the user from adding more sites:

75

Using the Computer policy because the latter gray’s out the zones and prevents the users from knowing or adding sites to the zones.

If #2 is desired then create a Group Policy Preferences Registry Extension then configure the following:

Hive: HKEY_CURRENT_USERS

Key Path: SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsdomain.comfs

Value name: http

Value type: REG_DWORD

Value data: 00000001

73

For reference, the following are the Value data for the other zones:

Value Zone Name
00000000 My Computer
00000001 Local Intranet
00000002 Trusted Site
00000003 Internet
00000004 Restricted

**Note that native group policy settings will take precedence over Group Policy Preferences so if the Site to Zone Assignment List is configured then it will override (not merge) the registry settings.