top of page

Edge(y) Issue with Kerberos

Writer's picture: Julian MilfortJulian Milfort

Updated: Jun 5, 2023

The project seemed to be the kind of a classic upgrade and machine transition case. As usual with MIM updates and upgrades, or actually any kind of MIM related infrastructure interventions, I expected a few bumps on the way. However, the actual problem turned out to be quite the rocky ride and it really made me grind my gears.


Infinite authentication pop-up in Microsoft Edge

The issue at hand seemed a classic to be a standard – MIM Portal not loading due to Kerberos authentication. Ok, let’s do the basics:

  • Confirm SPNs configuration

  • Uncheck “Enable Kernel-mode authentication” in IIS (Sites\MIM Portal\Authentication\Windows Auth\Advanced)

  • Add MIM Portal addresses to Local Intranet.

Great, issue resolved in Internet Explorer, Chrome and…Wait, Edge, despite being Chrome based, is unable to comply with our beloved, a tad bit rusty, legacy-coded portal. After excluding from the list of the possible culprits “Enable Integrated Windows Authentication” being unchecked in the Security section of the Advanced tab of Internet Options, I tried to dig deeper.

Enable Integrated Windows Authentication screenshot


Edge Group Policies modification

First idea was to modify the group policies. To do so, I had to first download the package containing administrative templates that would allow me to modify those options for Edge browser. Then, from extracted files I actually needed the ones in folder MicrosoftEdgePolicyTemplates\windows\admx:

  • msedge.admx

  • msedgeupdate.admx

  • msedgewebview2.admx

  • Language pack folder (in my case en-US)

GPO administrative template screenshot

And pasted them to local machine Policy Definition* C:\Windows\PolicyDefinitions and restarted the Group Policy editor.


Awesome, now I can modify Edge browser policies. I wanted to enable two policies:

  • Configure the Enterprise Mode Site List

  • Send all intranet sites to Internet Explorer

Group Policy Editor screenshot

Tested how it went…Nah, not there yet.


*Please do bear in mind that this location was used as I wanted to conduct a test solely on one machine. To apply it domain wide, which is recommended, especially with the upcoming retirement of IE, the correct location would be sysvol %systemroot%\sysvol\domain\policies\PolicyDefinitions on a Domain Controller.


Internet Options setup does not apply to Edge

Thus, I tried another option – going to Edge Settings, under the Default Browser section, there’s an inconspicuous toggle: "Allow sites to be reloaded in Internet Explorer mode". After enabling this one and restarting the Edge pages…

Microsoft Edge with Internet Explorer compatibility screenshot

Hooray, the issue is resolved, Deus vult!

Enabled IE compatibility mode screenshot

Conclusion on Microsoft Edge with Kerberos


Issue was caused by the MIM Portal being a rather legacy solution, therefore requiring special care. The steps I took:


1. Checked all SPNs

2. Unchecked "Enable Kernel-mode authentication" in IIS

3. Added MIM Portal addresses to Local Intranet

4. Verified "Enable Integrated Windows Authentication" was checked

5. Configured Edge policies and enabled the following:

  • Configure the Enterprise Mode Site List

  • Send all intranet sites to Internet Explorer

6. Enabled "Allow sites to be reloaded in Internet Explorer mode" in Edge settings


That's it! Easy enough, huh? If you are looking for a partner to help with your Microsoft Identity Manager environment or to set up a brand-new one do not hesitate to contact us today.

Recent Posts

See All

Comments


  • LinkedIn
  • X
bottom of page