My mobile device is connected to the intranet (eventually via external (VPN) connection). When I'm trying to use the Single Sign On with a mobile browser (e.g. Safari on iOS) or mobile app (which supports Single Sign On), it fails on the AD FS authentication page/URL with an error page/white page (not loading).
In certain circumstances the Windows Integrated Authentication is not correctly working on mobile browsers in the intranet. We could reproduce problems so far with:
- Google Chrome on Android
- Safari on iOS
- Several mobile apps for Jira/Confluence (e.g. Confluence Server)
To fix this issue, the intranet forms-based authentication (username and password) needs to be configured as fixed authentication module for mobile browsers via user agents. The following article by microsoft shows detailed steps how to do it: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia
Basically you need to remove User Agent Strings from the WIASupportedUserAgentStrings property list. To get the User Agent String of your browser just use your favorite user agent detector (e.g. http://www.whatsmyua.info). For integrated browsers like in the Confluence Server mobile app, you need to capture the network traffic with a browser debugging tool (e.g. Configure Fiddler for iOS) to get the User Agent information.
In the following we collected some User Agent Strings from the Confluence Server mobile app, which might be helping for further troubleshooting:
- "Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E216 Atlassian Mobile App"
- "Mozilla/5.0 (Linux; Android 5.1.1; KFDOWI Build/LVY48F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Safari/537.36 AtlassianMobileApp"
- "=~Windows\s*NT.*Chrome" (to target only Chrome on Windows for WIA)