Symptom: when accessing the federated application from inside of the corporate network using Internet Explorer, the users are presented with AD FS Forms Based authentication (FBA) page instead of Windows Integrated Authentication taking place. At the same time Edge and Chrome WIA are working as expected from intranet.
Since there was no Windows security pop up asking for user credentials and other browsers work, this was definitely not an issue related to Windows Authentication not being enabled in ADFS Primary Authentication Methods and not an issue when ADFS host name is missing from Local intranet security zone (https://technet.microsoft.com/en-us/library/jj203438.aspx) in Internet Explorer.
Have checked the list of supported WAI agents in the ADFS global properties by using this command:
Get-AdfsProperties | Select WIASupportedUserAgents -ExpandProperty WIASupportedUserAgents
The output was following. Can you find the missing agent string?
Correct, the “Trident/7.0” was missing.
Using the following command has resolved the issue:
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Trident/7.0”)
You can read more about configuration of intranet form-based authentication for the devices that do not support WIA in this article – https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia