ADFS MANAGEMENT CONSOLE CHANGES
WIA uses the domain credentials used to log into the domain PC and passes it through to ADFS. This eliminates the need to manually login to LaunchPad (ADFS). This policy is only recommend for users with their own AD logins.
- Open AD FS Management Console
- Under Authentication Policies, click “Edit” under the Primary Authentication->Global Settings section
3. Global Authentication Policy (see screenshot)
- Make sure Forms Authentication is enabled for Extranet
- Make sure Forms AND Windows Authentication is enabled for Intranet, then click OK
4. Under Authentication Policies->Per Relying Party Trust, highlight login.classlink.net and click “Edit Custom Primary Authentication on the right
Make sure “Users are required to provide credentials each time at sign in” option is NOT checked
For Windows Server 2016 & Later
1) Open AD FS
2) Open, Services, then Authentication Methods. then on the right, select Edit Primary Authentication Method.
3) Make sure Forms Authentication is selected under Extranet, and both Forms Authentication and Windows Authentication are selected under Intranet
ADFS CHANGES VIA POWERSHELL
Run the following commands in PowerShell on the ADFS server:
- Set-ExecutionPolicy RemoteSigned
- Set-ADFSProperties –ExtendedProtectionTokenCheck None
- Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIPC","Windows
Rights Management Client","Windows NT") - Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $true
Reboot your ADFS server.
GROUP POLICY CHANGES *On DOMAIN CONTROLLER*
User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page
- Enable Site to Zone Assignment List
2. Click Show
3. Enter your district’s base URL for ADFS, then enter a value of 1. Now click OK, then OK again to save the setting.
4. In the same section above, add https://launchpad.classlink.com with a value of 2. This will add the Launchpad URL in the trusted zones site.
User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Intranet Zone
1. Enable Logon options and select “Automatic Logon with current username and password” in the options section
User Configuration>Preferences>Windows Settings>Registry
1. Right click open space on the right-hand side and select New->Registry Item
2. Set up item as follows:
- Action: Update
- Hive: HKEY_CURRENT_USER
- Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YOURDOMAIN.COM\adfs
- Value name: https
- Value type: REG_SZ
- Value data: 1
Click OK.
TEST CHANGES
- Reboot ADFS Server
- Apply GPO to machine/OU
- Run gpupdate /force from Admin command prompt on the domain machine
- Attempt to login with ADFS from any domain machine to which the policy applies