AD FS ignores the "prompt=login" parameter during an authentication in Windows Server 2012 R2

Applies to: Windows Server 2012 R2 StandardWindows Server 2012 R2 DatacenterWindows Server 2012 R2 Essentials More

Summary


After you install the July 2016 update in KB 3172614, authentication fails if you use a non-password authentication (such as PIV cards) on an Identity Provider (IdP) server, and the request contains the prompt parameter that has login as the value.

Cause


This problem occurs because the default prompt federation behavior is to convert the prompt=login parameter to wauth=password&wfresh=0 during the federation.

About the fix


Active Directory Federation Services (AD FS) now supports the following options to control how the prompt=login parameter should be handled during a federation. These options can be set globally for all federated servers by using the set-ADFSProperties cmdlet. They can be viewed by using the get-ADFSProperties cmdlet.

  • None. Do not federate the prompt=login request and error instead.
  • FallbackToProtocolSpecificParameters (Default). Translate prompt=login to wfresh=0 and Wauth=forms during a federation. If "wauth" exists in the original request, it will be preserved. 


    The default "wauth" value can be overridden by using the PromptLoginFallbackAuthenticationType parameter. For example, the following command translates prompt=login to wfresh=0 and wauth=urn:ietf:rfc:2246 during a federation. 

    Set-AdfsProperties -PromptLoginFederation FallbackToProtocolSpecificParameters -PromptLoginFallbackAuthenticationType urn:ietf:rfc:2246

  • ForwardPromptAndHintsOverWsFederation. Forward the prompt parameter as it is during a federation.
  • Disabled. Discard the prompt parameter from the request during a federation.

The following are examples of the set-ADFSProperties cmdlet:

  • Set-AdfsProperties -PromptLoginFederation None
  • Set-AdfsProperties -PromptLoginFederation ForwardPromptAndHintsOverWsFederation

How to get this update


To add the new option, install the October 2017 update 4041685.
 

Prerequisites

To install this update, you must have Windows Server 2012 R2 installed.
 
 

Registry information

To apply this update, you don't have to make any changes to the registry.
 
 

Restart requirement

You must restart the computer after you apply this update.
 
 

Update replacement information

This update does not replace a previously released update.
 

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


Learn about the terminology that Microsoft uses to describe software updates.