8
J

Compatibility of PRT when using Edge to access the CRM application where the auth method must be WIA.

Jason Nguyen on 2/22/2024 7:28:15 AM

Fail scenario:

Customer is using AAD as IDP and authenticate user accessing to Dynamics CRM on-premises.


When Edge profile signed in, CRM will use below wauth parameter "urn:federation:authentication:windows" to login with ADFS. It will generate a device token, which will override the original wauth paremeters, replace it with "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", then you will get a ADFS error: "“Error details: Exception of type 'Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine. InvalidAuthenticationTypePolicyException"


Authentication flow on Edge:

  1. The user connects to the app, redirects to ADFS, and selects AAD authentication.
  2. During AAD authentication, the user directly completes the first-stage verification through PRT (Primary Refresh Token) and enabling the immediate initiation of Multi-Factor Authentication (MFA).
  3. After the completion of MFA, the token is sent back to ADFS. However, since there was no validation through Windows Integrated Authentication (WIA) during this process, it does not align with the app's requirements.


Successful scenario:

In InPrivate mode, Edge and Chrome (without installed extensions) will not use PRT, so you won't encounter this issue.


Authentication flow on In-Private Edge:

1.         The user connects to the app, redirects to ADFS, and selects AAD authentication.

2.         During AAD authentication, the user enters their account information. After entering the account, due to being in a Federated domain, they are redirected back to ADFS for validation.

3.         Upon returning to ADFS, since the User Agent supports WIA (Windows Integrated Authentication), the Windows Integrated Authentication process is completed.

4.         After the completion of MFA, the token is sent back to ADFS. Because the ADFS authentication process utilizes WIA, it aligns with the app's requirements, resulting in a successful authentication.


Root cause:

Edge utilizes PRT for authentication by default because device is registered on AAD it will use a device token which will override the crm's wauth parameters.


Expectation:

Edge browser as Microsoft supported browser should work with CRM application in this scenario when device is registered on AAD for example make PRT consistently include the WIA by default.

Category: General
STATUS DETAILS
New