ADFS1Symptom: When users upgraded from Windows 7 or 8.1 to Windows 10, Edge (Internet Explorer’s replacement) stopped auto-logging in people when trying to hit the Active Directory Federation Services (ADFS) server from inside the corporate network to sign in to Office 365 or Intune.
Solution: We need to allow NT LAN Manager (NTLM) authentication for the Edge browser user agent.
- Log in to your primary ADFS server.
- Execute the following command to disable Extended Protection TokenCheck (visit Window’s TechNet library for more—scroll down to “ExtendedProtectionTokenCheck”):
- Set-ADFSProperties –ExtendedProtectionTokenCheck None
3. Execute the following command to get the current list of supported user agents for NTLM authentication:
- Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
4. Take all the values you received in step three and then add, “Edge/12″ onto the end as an allowed user agent.
5. Execute the following command:
- Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”, “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0”,”Edge/12”)
6. Restart the ADFS service on each of the ADFS farm servers for the changes to take effect. You do not need to make any changes to the proxy servers.
Hopefully this has been helpful. Your comments or feedback are welcome, and please share this article if you did find it helpful.