Looking for PowerObjects? Don’t worry, you’re in the right place! We’ve been part of HCL for several years, and we’ve now taken the final step in our acquisition journey: moving our website to the HCL domain. Nothing else is changing – we are still fanatically focused on Microsoft Business Applications!

PowerObjects Blog 

for Microsoft Business Applications


ADFS and Single Sign On: Working with Non-IE Browsers (Chrome, Firefox, Safari)

Post Author: Joe D365 | November 2nd, 2012

Active Directory Federation Services (ADFS) is a great option to enable single sign on with Microsoft Dynamics CRM Online and other applications. If you are using ADFS with a portal or other application (pretty soon CRM too), you want to make sure the login mechanism works with all browsers and NOT just IE.

A small glitch is that browsers such as Chrome and Firefox do not support ‘enhanced protection’ when using windows authentication. So what does this mean?

It means that if you log in with ADFS from a non-IE browser, it will not work. You will see this authentication failure in the application log:

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    ….

The good news is that the fix is easy. Simply turn off Enhanced Protection for Windows Authentication in IIS in the adfsls folder.

Log in to your ADFS server. In IIS, expand adfs, then right click on the ls subfolder.

Double click on authentication, then in the advanced properties for windows authentication, turn off ‘enhanced protection’.

ADFS and single sign on

There you go! ADFS and single sign on for non-IE browsers.

Happy CRM'ing!

Joe CRM
By Joe D365
Joe D365 is a Microsoft Dynamics 365 superhero who runs on pure Dynamics adrenaline. As the face of PowerObjects, Joe D365’s mission is to reveal innovative ways to use Dynamics 365 and bring the application to more businesses and organizations around the world.

7 comments on “ADFS and Single Sign On: Working with Non-IE Browsers (Chrome, Firefox, Safari)”

  1. Surely "Accept" would be the right setting to use to protect most connections against a MITM attack (the whole point of using Extended Protection) while allowing non-compliant clients to connect?

  5. Thanks for this helpful article. I could login to my web application via AD FS integration just fine from Chrome on my Mac. However, my counterparts using Chrome on Windows could not. This was the problem.

  6. The most recent stable version of Chrome (Version 51.0.2704.84) now supports enhanced protection, and the SSO experience is similar to IE

PowerObjects Recommends