AD FS 2.0: Prompted for Credentials When You Are Expecting to Be Allowed Anonymous Access

Symptoms

Browsing to certain AD FS 2.0 resources results in an authentication prompt rather than being allowed the expected anonymous access.

Examples:

• /adfs/ls/idpinitiatedsignon.aspx
• homerealmdiscovery.aspx as a result of browsing /adfs/ls/ containing WS-Federation parameters or SAML 2.0 protocol data

Cause

The problem lies in IIS, but can manifest due to different conditions:

1. Authentication settings on /adfs/ls/

• /adfs/ls/ should have Anonymous and Windows authentication enabled

2. Settings from web.config

• Check for web.config files at the root of the web site and any web application or virtual directory down to the path that is failing. For example, if I am having problems accessing /adfs/ls/idpinitiatedsignon.aspx I would look for a web.config file at the Default Web Site, /adfs/, and /ls/.
• Web.config files can contain a URL authorization section which can cause anonymous authentication to fail even though Anonymous authentication is enabled at the site level you are accessing. The URL authorization section looks like this:

 

<authorization>

<{some_authorization_statement}/>

</authorization>

 

More specifically:

<authorization>

<deny users="?" />

</authorization>

 

The <deny users> tag can have any value, such as "?", "*", or specific user names.

"?" - means all anonymous users are denied access.

"*" - means all users are denied access.

 

Resolution

1. Revert IIS authentication settings back to default. /adfs/ should have Anonymous only. /adfs/ls/ should have Anonymous and Windows.

2. Edit or remove web.config files containing authorization settings which block anonymous access.