I am in the process of setting up an ADFS lab, and let me tell you it’s a painful (but necessary) exercise. I was having issues with my lab where I would get prompted for my credentials even though all the machines were on the same domain.
(I followed this lab guide: http://technet.microsoft.com/en-us/library/dn280939.aspx)
Here are a few steps you can go over to ensure you don’t get prompted for creds:
SSO when on the intranet from a domain joined machine, logged in with a domain credential:
To ensure the user is not prompted for his logged in credentials again, when accessing ADFS from intranet, the following configuration needs to be in place.
– In Internal DNS should resolve the ADFS service name to the backend ADFS servers or Load balanced IP for ADFS service. Domain Name System (DNS) resolution of the AD FS 2.0 service endpoint should not be performed through CNAME record lookup, instead we should add a A record for the ADFS service name.
– The Web-proxy configured on the client should be configured to bypass proxy, for request to ADFS URL
– The ADFS URL should be added to the IE > Security >Intranet zones > sites. This is done because IE > security > Local Intranet > Security Settings > user authentication – logon is configured to use the logged in credentials for Intranet sites.
– Ensure that IE > advanced > ‘Enable Integrated Windows Authentication’ is checked.
– Ensure that an SPN ‘HOST/ADFSservicename’ is registered for the ADFS service under the ADFS farm service account, to allow Kerberos authentication.
– The default authentication configuration for the ADFS service (in C:\inetpub\adfs\ls\web.config) is Integrated Windows Authentication, ensure that it has not been changed to Form-based Authentication.
– The credentials prompt can only be avoided when you are accessing the cloud service using the same account used to logon to the workstation.
– If a user chooses to save his credentials in the ‘credentials manager’ (By selecting save password checkbox in the credential prompt) for use with ADFS, that saved credentials will only provide an SSO experience till the user changes his password. If the credential manager is not updated with the new password of the user, it will continue to use old user credentials and prompt the user for good credentials, after a number of failed attempts with the stale saved credentials.
– If user A wants to access User B’s mailbox, user B’s credentials has to be provided and ADFS will prompt you for user B credentials because it has no ways of guessing it by itself. But once User B’s credentials has been provided and the user is authenticated, the Browser may cache the
user B’s credentials and would reuse it when the same instance of IE is used to access the same application or authenticate via the same ADFS service.
– ADFS and most of the web applications do write cookies on the client machine after being authenticated/authorized, these cookies may be session specific or may be valid across sessions. If these cookies are valid, and presented again to the application /ADFS, by the browser, the user is allowed in without repeated authentication. For example, after being logged into Sharepoint or O365, we write a few AUTH related session cookies on the client. These cookies are presented again, if you access a link in the web application that opens up another page in the same windows or another tab, sharing the same session cookies. These session based cookies should expire once you sign-out of the application/ ADFS, post which the user may need to authenticate again.