ADFS MANAGEMENT CONSOLE CHANGES
WIA uses the domain credentials used to log into the domain PC and passes it through to ADFS. This eliminates the need to manually login to LaunchPad (ADFS). This policy is only recommend for users with their own AD logins.
- Open AD FS Management Console
- Under Authentication Policies, click “Edit” under the Primary Authentication->Global Settings section
3. Global Authentication Policy (see screenshot)
- Make sure Forms Authentication is enabled for Extranet
- Make sure Forms AND Windows Authentication is enabled for Intranet, then click OK
4. Under Authentication Policies->Per Relying Party Trust, highlight login.classlink.net and click “Edit Custom Primary Authentication on the right
Check “Users are required to provide credentials each time at sign in”
ADFS 2.0 – (If your ADFS console DOES NOT have Authentication Policies folder, this means you have ADFS 2.0 not 3.0). Run the commands below.
(Check ADFS to make sure the name of the relying party trust is login.classlink.net)
- Start the PowerShell in administrator mode
- Run the following commands:
(Press Y if prompted to accept changes)
set-ADFSRelyingPartyTrust -Targetname "login.classlink.net" -TokenLifetime "1"
ADFS CHANGES VIA POWERSHELL (ADFS 2 or 3)
Run the following commands in PowerShell on the ADFS server:
- Set-ExecutionPolicy RemoteSigned
- Set-ADFSProperties –ExtendedProtectionTokenCheck None
- Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0")
GROUP POLICY CHANGES *On DOMAIN CONTROLLER*
User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page
- Enable Site to Zone Assignment List
2. Click Show
3. Enter your district’s base URL for ADFS, then enter a value of 1. Now click OK, then OK again to save the setting.
4. In the same section above, add https://launchpad.classlink.com with a value of 2. This will add the Launchpad URL in the trusted zones site.
User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Intranet Zone
1. Enable Logon options and select “Automatic Logon with current username and password” in the options section
User Configuration>Preferences>Windows Settings>Registry
1. Right click open space on the right-hand side and select New->Registry Item
2. Set up item as follows:
- Action: Update
- Hive: HKEY_CURRENT_USER
- Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YOURDOMAIN.COM\adfs
- Value name: https
- Value type: REG_SZ
- Value data: 1
- Reboot ADFS Server
- Apply GPO to machine/OU
- Run gpupdate /force from Admin command prompt on the domain machine
- Attempt to login with ADFS from any domain machine to which the policy applies