Active Directory Federation Services (ADFS) is a great option to enable single sign on with Microsoft Dynamics CRM Online and other applications. If you are using ADFS with a portal or other application (pretty soon CRM too), you want to make sure the login mechanism works with all browsers and NOT just IE.
A small glitch is that browsers such as Chrome and Firefox do not support ‘enhanced protection’ when using windows authentication. So what does this mean?
It means that if you log in with ADFS from a non-IE browser, it will not work. You will see this authentication failure in the application log:
An account failed to log on.
Security ID: NULL SID
Account Name: –
Account Domain: –
The good news is that the fix is easy. Simply turn off Enhanced Protection for Windows Authentication in IIS in the adfsls folder.
Log in to your ADFS server. In IIS, expand adfs, then right click on the ls subfolder.
Double click on authentication, then in the advanced properties for windows authentication, turn off ‘enhanced protection’.
There you go! ADFS and single sign on for non-IE browsers.