The project seemed to be the kind of a classic upgrade and machine transition case. As usual with MIM updates and upgrades, or actually any kind of MIM related infrastructure interventions, I expected a few bumps on the way. However, the actual problem turned out to be quite the rocky ride and it really made me grind my gears.
Infinite authentication pop-up in Microsoft Edge
The issue at hand seemed a classic to be a standard – MIM Portal not loading due to Kerberos authentication. Ok, let’s do the basics:
Confirm SPNs configuration
Uncheck “Enable Kernel-mode authentication” in IIS (Sites\MIM Portal\Authentication\Windows Auth\Advanced)
Add MIM Portal addresses to Local Intranet.
Great, issue resolved in Internet Explorer, Chrome and…Wait, Edge, despite being Chrome based, is unable to comply with our beloved, a tad bit rusty, legacy-coded portal. After excluding from the list of the possible culprits “Enable Integrated Windows Authentication” being unchecked in the Security section of the Advanced tab of Internet Options, I tried to dig deeper.

Edge Group Policies modification
First idea was to modify the group policies. To do so, I had to first download the package containing administrative templates that would allow me to modify those options for Edge browser. Then, from extracted files I actually needed the ones in folder MicrosoftEdgePolicyTemplates\windows\admx:
msedge.admx
msedgeupdate.admx
msedgewebview2.admx
Language pack folder (in my case en-US)

And pasted them to local machine Policy Definition* C:\Windows\PolicyDefinitions and restarted the Group Policy editor.
Awesome, now I can modify Edge browser policies. I wanted to enable two policies:
Configure the Enterprise Mode Site List
Send all intranet sites to Internet Explorer

Tested how it went…Nah, not there yet.
*Please do bear in mind that this location was used as I wanted to conduct a test solely on one machine. To apply it domain wide, which is recommended, especially with the upcoming retirement of IE, the correct location would be sysvol %systemroot%\sysvol\domain\policies\PolicyDefinitions on a Domain Controller.
Internet Options setup does not apply to Edge
Thus, I tried another option – going to Edge Settings, under the Default Browser section, there’s an inconspicuous toggle: "Allow sites to be reloaded in Internet Explorer mode". After enabling this one and restarting the Edge pages…

Hooray, the issue is resolved, Deus vult!

Conclusion on Microsoft Edge with Kerberos
Issue was caused by the MIM Portal being a rather legacy solution, therefore requiring special care. The steps I took:
1. Checked all SPNs
2. Unchecked "Enable Kernel-mode authentication" in IIS
3. Added MIM Portal addresses to Local Intranet
4. Verified "Enable Integrated Windows Authentication" was checked
5. Configured Edge policies and enabled the following:
Configure the Enterprise Mode Site List
Send all intranet sites to Internet Explorer
6. Enabled "Allow sites to be reloaded in Internet Explorer mode" in Edge settings
That's it! Easy enough, huh? If you are looking for a partner to help with your Microsoft Identity Manager environment or to set up a brand-new one do not hesitate to contact us today.
Comments