Search code examples
c#authenticationadfsadalasp.net-core-webapi

Why does ADFS authentication using ADAL never require the user to enter credentials?

We are running ADFS 3 on Windows Server 2012 R2, and using the C# ADAL library v3 to retrieve an authentication token from ADFS for our custom .NET application. The idea is to use ADFS to provide AD authentication of our users to our .NET Core Web APIs using the same web-standard method whether the client application is a .NET app or a ReactJS app.

The applications are internal LOB applications, and all users are internal corporate users who are logged onto AD through Windows when using the application. The authentication appears to be working in that ADFS is called and provided a JWT token for the calling user, and that token is successfully checked by the web API.

What concerns me is that, when authentication is triggered for the Web API, a browser Window flashes up but never pauses to force the user to authenticate - ADFS just responds with a token for the user. I expected the users to have to authenticate with their username and password, at least the first time and immediately after a password change.

Is this expected behaviour, and why? This answer is to a different question, but implies that in this situation Integrated Windows Authentication (IWA) will be used unless ADFS is configured to force Forms Based Authentication (FBA).

Can anyone confirm that this is what is happening?

Thanks, Peter

Solution

  • If you are running the ADFS Server in your Domain Environment (which I suppose you do, since ADFS is sort of Windows-only-ish). Then your users are experiencing SingleSignOn through Kerberos.

    So what essentially happens is the following:

    • Users Browser (UA = user agent) opens
    • UA loads ADFS, providing it's user-agent-header
    • AD FS sniffs that header for configured values (PS> Get-ADFSProperties for more info)
    • AD FS sees IE or any other WIA-enabled browser (you can make Chrome and FF work, too)
    • AD FS starts Kerberos Negotiation with the UA
    • AD FS issues user ticket

    You can enforce users to authenticate, by setting an appropriate policy or disabling WIA on AD FS (enable FBA, or you won't authenticate with any method).
    You can also call AD FS via a WAP proxy - this will also force FBA (assuming you do not have device authentication)

    Nevertheless - why would you reauthenticate the user in ADFS? He already provided his password to the windows machine he is sitting at - if you force reauth you loose a nice and smooth single-sign-on experience. You do not gain anything by asking the user again. If you want it "more secure" roll out two factor authentication. AD FS 2016 has modules for that.

    Update - just to clearify for others:
    AD FS should automatically fall-back to FBA (if not configured otherwise), if the browser does not support WIA!