SSO ADFS server login prompt

This question is answered This question is answered

Hello,

Slight problem with using SSO.

Hereby my setup

- domain (test.com)

- DC + ADFS 2.0 (TESTDC.test.com)

- SYNC server (TESTSYNC.test.com)

 

I have ADFS deployed with a public certificate (URL = sts.test.com) for SingleSignon. DirSync is complete and I have enabled the users. Lets say testaccount@test.com

 

I login to a domain joined computer on-premisis using the domain account testaccount credentials.

 

When I browse to portal.microsoftonline.com and fill in user name testaccount@test.com password field gets greyed out and i click sign in to test.com

 

Then I get the following prompt:

The ADFS server (connecting to sts.test.com) prompts me for a login screen and I have to reenter my credentials.

 

This is happening at every login BUT when i add the ADFS server URL to Local Intranet it is working BUT Microsoft manual only says the URL should be added to the Trusted Sites and not the Local Intranet.

 

Any help would be awesome.

Verified Answer
  • Hello Eriksignout,

    Thank you for your post.

    As I understand, I want to confirm if it is necessary to add the URL of ADFS server into "Local Intranet Zone" of IE when deploying Single Sign-on.

    Yes, the "Local Intranet Zone" contains all network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local). The ADFS server needs to be classified in the local intranet zone to send your credentials. All of this about sending your domain credentials using Kerberos not send a username and password which was entered at a login page.

    Additional Information
    ===============
    AD FS 2.0 Design Guide
    http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx

    AD FS 2.0 Deployment Guide
    http://technet.microsoft.com/en-us/library/dd807092(v=ws.10).aspx

    Thank you.

    Jack Sun

  • Jack,

    Then the documentation on the following URL is not correct:

     http://onlinehelp.microsoft.com/Office365-enterprises/ff652538.aspx

      

    Add URLs to Trusted Sites in Internet Explorer

    After you add or convert your domains as part of setting up single sign-on, you may want to add the fully qualified domain name of your AD FS 2.0 server to the list of Trusted Sites in Internet Explorer. This will ensure that users are not prompted for their password to the AD FS 2.0 server.

     

    There it states Trusted Sites but you and a support page i found say add to Local Intranet.

     

    This URL states Local Intranet:

    http://support.microsoft.com/kb/2535227/en-us

     

    So the top link says Trusted Sites, so please adjust this incorrect information :-)

All Replies
  • Hello Eriksignout,

    Thank you for your post.

    As I understand, I want to confirm if it is necessary to add the URL of ADFS server into "Local Intranet Zone" of IE when deploying Single Sign-on.

    Yes, the "Local Intranet Zone" contains all network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local). The ADFS server needs to be classified in the local intranet zone to send your credentials. All of this about sending your domain credentials using Kerberos not send a username and password which was entered at a login page.

    Additional Information
    ===============
    AD FS 2.0 Design Guide
    http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx

    AD FS 2.0 Deployment Guide
    http://technet.microsoft.com/en-us/library/dd807092(v=ws.10).aspx

    Thank you.

    Jack Sun

  • Jack,

    Then the documentation on the following URL is not correct:

     http://onlinehelp.microsoft.com/Office365-enterprises/ff652538.aspx

      

    Add URLs to Trusted Sites in Internet Explorer

    After you add or convert your domains as part of setting up single sign-on, you may want to add the fully qualified domain name of your AD FS 2.0 server to the list of Trusted Sites in Internet Explorer. This will ensure that users are not prompted for their password to the AD FS 2.0 server.

     

    There it states Trusted Sites but you and a support page i found say add to Local Intranet.

     

    This URL states Local Intranet:

    http://support.microsoft.com/kb/2535227/en-us

     

    So the top link says Trusted Sites, so please adjust this incorrect information :-)

  • Hello Eriksignout,

    We greatly appreciate your feedback and effect on this problem. I will forward your feedback to our product team. If you have any additional questions when using Office 365 in the future, please feel free to post new question in the forum.

    Thanks again.

    Jack Sun