Enabling Integrated Windows Authentication for ADFS 3.0 or 4.0

Complete this task to enable Integrated Windows Authentication (IWA) on Active Directory Federation Services (ADFS) 3.0 or 4.0.

Procedure

  1. On the ADFS server, run PowerShell as administrator.
  2. Use the following PowerShell commands to view the current ADFS settings: 
    $FormatEnumerationLimit=-1
Get-ADFSProperties
  3. If you have Notes client or Chrome browser users, use the following PowerShell command to turn off extended protection for authentication: 
    Set-ADFSProperties –ExtendedProtectionTokenCheck None
  4. Use the following PowerShell command to specify the user agents (clients and browsers) that can participate in IWA. Add any browsers that you use that are missing from the list. The embedded browser in IBM Notes 9.0.1 is Mozilla 4.0. The embedded browser is used with Notes federated login. 
    Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0")
  5. Use the following PowerShell commands again to confirm the setting changes: 
    $FormatEnumerationLimit=-1
Get-ADFSProperties
  6. Complete the following steps to set ADFS to use IWA:
    • For ADFS 4.0:
      1. Open ADFS Management.
      2. Click Service > Authentication Methods.
      3. Click Edit Primary Authentication Methods.
      4. In the Primary authentication tab, intranet section, select Windows Authentication. Optionally select Forms Authentication. Forms Authentication allows users who cannot use IWA, such as Linux and Mac users, to authenticate with SAML.
    • For ADFS 3.0:
      1. Open ADFS Management.
      2. Click Authentication Policies.
      3. Click Edit Global Primary Authentication.
      4. In Primary Authentication, Global Settings, Authentication Methods, click Edit.
      5. In the intranet section, select Windows Authentication. Optionally select Forms Authentication. Forms Authentication allows users who cannot use IWA, such as Linux and Mac users, to authenticate with SAML.
  7. Restart the ADFS service.