AD FS 2.0: Prompted for Credentials When You Are Expecting to Be Allowed Anonymous Access

AD FS 2.0: Prompted for Credentials When You Are Expecting to Be Allowed Anonymous Access

Symptoms

Browsing to certain AD FS 2.0 resources results in an authentication prompt rather than being allowed the expected anonymous access.

Examples:

  • /adfs/ls/idpinitiatedsignon.aspx
  • homerealmdiscovery.aspx as a result of browsing /adfs/ls/ containing WS-Federation parameters or SAML 2.0 protocol data

Cause

The problem lies in IIS, but can manifest due to different conditions:

1. Authentication settings on /adfs/ls/

  • /adfs/ls/ should have Anonymous and Windows authentication enabled

2. Settings from web.config

  • Check for web.config files at the root of the web site and any web application or virtual directory down to the path that is failing. For example, if I am having problems accessing /adfs/ls/idpinitiatedsignon.aspx I would look for a web.config file at the Default Web Site, /adfs/, and /ls/.
  • Web.config files can contain a URL authorization section which can cause anonymous authentication to fail even though Anonymous authentication is enabled at the site level you are accessing. The URL authorization section looks like this:

 

<authorization>

<{some_authorization_statement}/>

</authorization>

 

More specifically:

<authorization>

<deny users="?" />

</authorization>

 

The <deny users> tag can have any value, such as "?", "*", or specific user names.

"?" - means all anonymous users are denied access.

"*" - means all users are denied access.

 

Resolution

1. Revert IIS authentication settings back to default. /adfs/ should have Anonymous only. /adfs/ls/ should have Anonymous and Windows.

2. Edit or remove web.config files containing authorization settings which block anonymous access.

Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price MSFT edited Original. Comment: Updated title case.

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price MSFT edited Original. Comment: Updated title case.

Page 1 of 1 (1 items)