Windows Server 2016 ADFS SSO with Chrome, Firefox and other user agents

Out of the box Windows Server 2016 Active Directory Federation Services does not allow users running chrome to seamless sign on experience like Internet Explorer. Thankfully there are two simple changes that can be made to enable this functionality.

Open Powershell on one of the ADFS servers as administrator and check the list of existing WIASupportedUserAgents:

PS C:\Windows\system32> Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Windows Rights Management Client

The easiest way to add the additional agents is with the following command, I’ve added Chrome, Mozilla/5.0 and Edge/12.

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")

There was a time before where you did need to disable the ExtendedProtectionTokenCheck for chrome to work, as of writing August 2017 this is no longer the case. Restart the ADFS service and you should be in business!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s