After you install the July 2016 update in KB 3172614, authentication fails if you use a non-password authentication (such as PIV cards) on an Identity Provider (IdP) server, and the request contains the prompt parameter that has login as the value.
This problem occurs because the default prompt federation behavior is to convert the prompt=login parameter to wauth=password&wfresh=0 during the federation.
About the fix
Active Directory Federation Services (AD FS) now supports the following options to control how the prompt=login parameter should be handled during a federation. These options can be set globally for all federated servers by using the set-ADFSProperties cmdlet. They can be viewed by using the get-ADFSProperties cmdlet.
- None. Do not federate the prompt=login request and error instead.
- FallbackToProtocolSpecificParameters (Default). Translate prompt=login to wfresh=0 and Wauth=forms during a federation. If "wauth" exists in the original request, it will be preserved.
The default "wauth" value can be overridden by using the PromptLoginFallbackAuthenticationType parameter. For example, the following command translates prompt=login to wfresh=0 and wauth=urn:ietf:rfc:2246 during a federation.
Set-AdfsProperties -PromptLoginFederation FallbackToProtocolSpecificParameters -PromptLoginFallbackAuthenticationType urn:ietf:rfc:2246
- ForwardPromptAndHintsOverWsFederation. Forward the prompt parameter as it is during a federation.
- Disabled. Discard the prompt parameter from the request during a federation.
The following are examples of the set-ADFSProperties cmdlet:
- Set-AdfsProperties -PromptLoginFederation None
- Set-AdfsProperties -PromptLoginFederation ForwardPromptAndHintsOverWsFederation
How to get this update
To add the new option, install the October 2017 update 4041685.
Update replacement information
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.