Doesn’t everyone use Internet Explorer? Isn’t it Company policy anymore?
ADFS doesn’t support Chrome out of the Box, so we need to adjust some settings for Chrome to use ADFS. Depending on which Version Your using, there are two settings to help Your Chrome users out.
ADFS 2.0/2.1 (Windows Server 2008/2012)
ADFS comes standard With Extended Protection for Authentication, which isn’t supported by Chrome. Turning this feature of IIS off will let Chrome authenticate With ADFS.
Open IIS Management and browse Down to the LS Site. Open Authentication and choose Windows Authentication. Then Advanced Settings in Your right sidebar:
Set Extended Protection to Off.
Source: Technet Library
ADFS 3.0 (Windows Server 2012 R2)
While in ADFS 3.0 we don’t use IIS anymore, but there are other default settings working against Our Chrome users, so lets have a look at what we need to change.
Chrome only uses NTLM Authentication, so first we need to allow this by setting the ExtendedProtectionTokenCheck to None.
Set-ADFSProperties –ExtendedProtectionTokenCheck None
Then we need to alter the current list of supported user-agents for NTLM, which basicly means we need to allow Chrome within the list of browser we want to support. Get the list over allready supported browsers:
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
It will show a list of supported browser which by default is:
Then we add all these and Chrome, or to be Clear, we add what ADFS think Chrome is:
Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”, “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0“)
Which is Mozilla v5.0, then restart the Active Directory Federation Service to use the changes.
Extended Protection is built to protect from man-in-middle attacks, by using a token in the communcation aswell. But if you haven’t published ADFS to the outside world it is a minor risk to take I would say.