Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

AD FS ignores the "prompt=login" parameter during an authentication in Windows Server 2012 R2


View products that this article applies to.

Summary

After you install the July 2016 update in KB 3172614, authentication fails if you use a non-password authentication (such as PIV cards) on an Identity Provider (IdP) server, and the request contains the prompt parameter that has login as the value.

↑ Back to the top


Cause

This problem occurs because the default prompt federation behavior is to convert the prompt=login parameter to wauth=password&wfresh=0 during the federation.

↑ Back to the top


About the fix

Active Directory Federation Services (AD FS) now supports the following options to control how the prompt=login parameter should be handled during a federation. These options can be set globally for all federated servers by using the set-ADFSProperties cmdlet. They can be viewed by using the get-ADFSProperties cmdlet.

  • None. Do not federate the prompt=login request and error instead.
  • FallbackToProtocolSpecificParameters (Default). Translate prompt=login to wfresh=0 and Wauth=forms during a federation. If "wauth" exists in the original request, it will be preserved. 


    The default "wauth" value can be overridden by using the PromptLoginFallbackAuthenticationType parameter. For example, the following command translates prompt=login to wfresh=0 and wauth=urn:ietf:rfc:2246 during a federation. 

    Set-AdfsProperties -PromptLoginFederation FallbackToProtocolSpecificParameters -PromptLoginFallbackAuthenticationType urn:ietf:rfc:2246

  • ForwardPromptAndHintsOverWsFederation. Forward the prompt parameter as it is during a federation.
  • Disabled. Discard the prompt parameter from the request during a federation.

The following are examples of the set-ADFSProperties cmdlet:

  • Set-AdfsProperties -PromptLoginFederation None
  • Set-AdfsProperties -PromptLoginFederation ForwardPromptAndHintsOverWsFederation

↑ Back to the top


How to get this update

To add the new option, install the October 2017 update 4041685.
 

Prerequisites

To install this update, you must have Windows Server 2012 R2 installed.
 
 

Registry information

To apply this update, you don't have to make any changes to the registry.
 
 

Restart requirement

You must restart the computer after you apply this update.
 
 

Update replacement information

This update does not replace a previously released update.
 

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Article Info
Article ID : 4043631
Revision : 12
Created on : 10/17/2017
Published on : 10/17/2017
Exists online : False
Views : 751