locked
adfs 2012 R2 forms authentication default login domain

    Question

  • hi,

    is there any way on adfs 2012 R2 to edit the default login page as on the old adfs by editing the formssignin.aspx?

    so users do not need to enter the domain in the forms page?

    thanks

    Wednesday, December 11, 2013 11:50 AM

All replies

  • Not at the moment, no. It's locked down to just UI changes via PowerShell.

    Developer Security MVP | www.syfuhs.net

    • Proposed as answer by Steve Kradel Wednesday, March 05, 2014 11:29 PM
    Wednesday, December 11, 2013 5:57 PM
  • thanks for your reply but this is not good so we cant use ADFS 2012 R2.... good idea but bad implementation....

    thanks


    Thursday, December 12, 2013 6:25 AM
  • As Steve says it's not possible.. I've looked around on my ADFS 3.0 2012 R2 test server and couldn't find anything so far to do it.

    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Friday, December 13, 2013 12:12 PM
  • Any update on this?  I have the same requirement to default the domain...
    Friday, February 07, 2014 1:54 PM
  • Hi, Did anyone manage this, we would like the same. Thanks
    Tuesday, March 04, 2014 9:02 PM
  • Now I install ADFS on windows 2012 R2 above and configure ADFS Proxy 
    Released by TMG, external login office365 redirected to adfs authentication page, enter your user name and password error occurs, the error also appeared locally, I missed something? 

    What's new conversion rules office365 is issued? 
    I am using the conversion rules issued ADFS2.0 that is not a relationship here?
    Friday, March 07, 2014 6:41 AM
  • I've found the ASPX.CS pages for ADFS 3.0 / 2012R2. They are embedded in C:/windows/adfs/Microsoft.IdentityServer.Web.dll


    Find me on linkedin: http://nl.linkedin.com/in/tranet



    • Edited by Robin Gaal Friday, March 07, 2014 4:08 PM
    Friday, March 07, 2014 3:57 PM
  • I am to trying to eliminate our users having to enter their domain\username and only have to enter their username. It seems like that in adfs 2.0 it worked great and would accept your username and not have to enter the domain for those that we have access to. Is there any way to fix this or to add a drop down list that will allow a user to choose their domain.
    Friday, March 07, 2014 4:19 PM
  • Modifying that DLL is probably going to be more trouble than its worth. I can't imagine it going well since there are probably InternalsVisibleTo attributes tying everything together, and that requires assembly signing to work. I'd also hope that there are checks for unsigned DLLs now too.

    Developer Security MVP | www.syfuhs.net

    Friday, March 07, 2014 5:03 PM
  • We don't know untill anyone is going to give it a try. At least its known where they are now instead of random directions opposed by others(hidden folders, database, zipped, random other stuff etc.).

    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Friday, March 07, 2014 5:28 PM
  • Before patching dlls, which is awfull.... Then better report it to Microsoft as a DCR. It seems to be a show stopper for many people.

    I deliberately did not participate because I don't even know how to spell the words: html, css or javascript. So against better judgment, taking my foot out of my mouth.... Just ventilating (?ignorant?) ideas.

    I assume that it happens in the form sigin page with javascript validation on the id="userNameInput" input.

    On http://technet.microsoft.com/en-us/library/dn636121.aspx it is suggested that you could change validation. Would it be possible for someone with client side knowledge to take a look at onload.js options? [onload.js content comes after the form, but who knows........ Patching javascript on the client side might be easier then patching the DLL, or more exiting in server core (memory) :-) ]


    Paul Lemmers

    • Proposed as answer by Robin Gaal Thursday, March 20, 2014 8:23 AM
    Tuesday, March 11, 2014 8:59 PM
  • Based on the document that Paul references here is the code I added to the onload.js file that accomplishes this.  Please forgive my sloppy javascript

    var AppendUPN = function () {

    var userName = document.getElementById(Login.userNameInput);

    var lowerUserName = userName.value.toLowerCase();

    //Check to see if they already included the UPN

    var li = lowerUserName.lastIndexOf('@xyz.com');

    if (li == -1)

    {

         userName.value = userName.value + '@xyz.com';

    }

    return true;

    }

    document.getElementById('submitButton').onclick = new Function("AppendUPN();return Login.submitLoginRequest();");

    • Proposed as answer by Robin Gaal Thursday, March 20, 2014 8:23 AM
    Wednesday, March 19, 2014 10:21 PM
  • :-) I knew it would be solved..... :-)

    Just one more point of attention. The choice is prepending the (NetBIOS) Domain name or appending an upnsuffix. Whatever is best depends on the Domain architecture and usage.

    And a cross reference: http://social.msdn.microsoft.com/Forums/vstudio/en-US/bfde6a72-a522-4d12-907d-3f96577ab3a0/windows-server-2012-r2-adfs-proxy-error-enter-your-user-id-in-the-format-domainuser?forum=Geneva


    Paul Lemmers

    Thursday, March 20, 2014 8:36 AM
  • Based on the document that Paul references here is the code I added to the onload.js file that accomplishes this.  Please forgive my sloppy javascript

    var AppendUPN = function () {

    var userName = document.getElementById(Login.userNameInput);

    var lowerUserName = userName.value.toLowerCase();

    //Check to see if they already included the UPN

    var li = lowerUserName.lastIndexOf('@xyz.com');

    if (li == -1)

    {

         userName.value = userName.value + '@xyz.com';

    }

    return true;

    }

    document.getElementById('submitButton').onclick = new Function("AppendUPN();return Login.submitLoginRequest();");


    This seems promising only thing is user has to click the Sign In button. Just hitting enter after entering password brings up same error. Any ideas how to overcome that?
    Thursday, March 20, 2014 1:58 PM
  • Thanks so much. Little modification to that code allows both clicking sign in button and pressing enter on password textbox:

    // Check whether the loginMessage element is present on this page.
    var loginMessage = document.getElementById('loginMessage');
    if (loginMessage)
    {
           // loginMessage element is present, modify its properties.
           loginMessage.innerHTML = 'Some useful message to explain what they need to enter, or re-enter after failed attempt';
    }
    
    
    //remove domain name requirement
    function runScript(e) {
        if (e.keyCode == 13) {
            AppendUPN();
        return Login.submitLoginRequest();
        }
    }
    
    var AppendUPN = function () {
    var userName = document.getElementById(Login.userNameInput);
    var lowerUserName = userName.value.toLowerCase();
    
    //Check to see if they already included the UPN
    var li = lowerUserName.lastIndexOf('@your_domain_name');
    if (li == -1)
    {
        userName.value = userName.value + '@your_domain_name';
    }
    
    return true;
    }
    
    document.getElementById('submitButton').onclick = new Function('AppendUPN();return Login.submitLoginRequest();');
    document.getElementById('passwordInput').onkeypress = runScript;


    Thursday, March 20, 2014 3:46 PM
  • Modified a little more.  I now check to see it they already entered in the correct format.  I also capture if they press enter instead of clicking the button.

    var AppendUPN = function () {
     var userName = document.getElementById(Login.userNameInput);
     if (userName.value)
     {
      var lowerUserName = userName.value.toLowerCase();
      var li = lowerUserName.lastIndexOf('@company.com');
      if (li == -1)
      {
       userName.value = userName.value + '@company.com';
      }
      return true;
     }
     return false;
    }


    document.getElementById('submitButton').onclick = new Function("if (AppendUPN()) return Login.submitLoginRequest();");
    document.getElementById('submitButton').onkeypress = new Function("if (event && event.keyCode == 13) { if (AppendUPN()) Login.submitLoginRequest(); }");
    document.getElementById('loginForm').onkeypress = new Function("if (event && event.keyCode == 13) { if (AppendUPN()) Login.submitLoginRequest(); }");

    Thursday, March 20, 2014 10:49 PM
  • This is a great help. thank you. Is there a way to modify or remove the user name input placeholder. It is currently saying someone@example.com. can it be remove or change.

    Thanks


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, March 26, 2014 5:00 AM
  • Found a solution.

    document.getElementById("userNameInput").placeholder="Text Here";

    thanks


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, March 26, 2014 5:35 AM
  • document.getElementById("userNameInput").placeholder="Text Here";

    How do you handle bi-lingual? (English and French)

    Thursday, May 22, 2014 9:32 PM
  • Maybe slightly off-topic but this article provides a really good reference for doing ADFS 2012 R2 customization.

    Handling Expired Passwords in AD FS 2012 R2

    Tuesday, May 27, 2014 8:11 PM
  • I have the below code in onload.js and it works but it is a workaround.  I am still looking for something like this: Set-AdfsGlobalWebContent -ErrorPageDescriptionText "This is my error page description" –locale "en"<o:p></o:p>

    //replace user name hint


    if (document.getElementById("userNameInput").placeholder.toString() == 'xyz@example.com') {
        document.getElementById("userNameInput").placeholder = "Nom d'utilisateur";
    } else if (document.getElementById("userNameInput").placeholder.toString() == 'someone@example.com') {
        document.getElementById("userNameInput").placeholder = 'User Name';
    } else {
        document.getElementById("userNameInput").placeholder = document.getElementById("userNameInput").placeholder.toString();
    }

    Tuesday, May 27, 2014 8:23 PM
  • var AppendUPN = function() { var userName = document.getElementById(Login.userNameInput); if (userName.value) { var lowerUserName = userName.value.toLowerCase(); var containAt = lowerUserName.indexOf("@"); var containSlash = lowerUserName.indexOf("\\"); if (containAt <=0 && containSlash <= 0) { userName.value = userName.value + '@contoso.com'; } return true; } return false;

    document.getElementById('submitButton').onclick = new Function("if (AppendUPN()) return Login.submitLoginRequest();");
    document.getElementById('submitButton').onkeypress = new Function("if (event && event.keyCode == 13) { if (AppendUPN()) Login.submitLoginRequest(); }");
    document.getElementById('loginForm').onkeypress = new Function("if (event && event.keyCode == 13) { if (AppendUPN()) Login.submitLoginRequest(); }");
    }

    Thank for the code.  :)

    I modified you code further to only concatenate domain when @ and \ is not available in the username.


    Friday, June 27, 2014 9:06 PM
  • I have the below code in onload.js and it works but it is a workaround.  I am still looking for something like this: Set-AdfsGlobalWebContent -ErrorPageDescriptionText "This is my error page description" –locale "en"<o:p></o:p>

    //replace user name hint


    if (document.getElementById("userNameInput").placeholder.toString() == 'xyz@example.com') {
        document.getElementById("userNameInput").placeholder = "Nom d'utilisateur";
    } else if (document.getElementById("userNameInput").placeholder.toString() == 'someone@example.com') {
        document.getElementById("userNameInput").placeholder = 'User Name';
    } else {
        document.getElementById("userNameInput").placeholder = document.getElementById("userNameInput").placeholder.toString();
    }

    Thank you very much but the above. The if/else snippet does not appear to work as-is. Can you or someone kindly provide the full section of code? Wouldn't that begin with declaring a var? I assume it can be added to the end of onload.js. Thanks!
    Wednesday, July 16, 2014 9:27 PM
  • We have a .local domain, so thought it would be confusing to users who are not used to seeing their username@corp.local, so if they mistype their password, the next page has the appended username@corp.local and might be confused.  None of our users log-in with UPN.

    Edited script to add domain\ at the front of the username instead.

    //Check to see if they already included the domain
    var li = lowerUserName.indexOf('domain\\');
    if (li == -1)
    {
        userName.value = 'domain\\' + userName.value;
    }

    return true;
    }

    Thursday, July 31, 2014 4:54 PM
  • The placeholder text change seems to only work on IE10 or higher, any fix for IE9?  Some in our enterprise are still using for legacy apps.

    Thursday, July 31, 2014 4:55 PM
  • I'm not a programmer so I apologize ahead of time. I'm using a variation of the code referenced here;

    if(Login) {
        Login.submitLoginRequest = function () { 
        var u = new InputUtil();
        var e = new LoginErrors();
        var userName = document.getElementById(Login.userNameInput);
        var password = document.getElementById(Login.passwordInput);
        if (userName.value && !userName.value.match('[@\\\\]')) 
        {
            var userNameValue = 'domain\\' + userName.value;
            document.forms['loginForm'].UserName.value = userNameValue;
        }

        if (!userName.value) {
           u.setError(userName, e.userNameFormatError);
           return false;
        }

        if (!password.value) 
        {
            u.setError(password, e.passwordEmpty);
            return false;
        }
        document.forms['loginForm'].submit();
        return false;
    };

    We have two federated domains so is there a way I can modify this to ignore or remove everything after the @ and just add the domain\ prior to the username?


    Wednesday, March 04, 2015 7:39 PM
  • More effective implementation:

    //adds default NetBIOS domain in case user does not fills it in
    var AddDefaultDomain = function () {
    	var defaultDomain = "MYDOMAIN";
    	var patt = new RegExp("@|\\\\");
    
    	var userName = document.getElementById(Login.userNameInput);
    
    	if (userName.value && !patt.test(userName.value)) {
    		userName.value = defaultDomain + "\\" + userName.value;
    		return true;
    	}
    	return false;
    }
    
    //add handlers as apropriate to call our new handler for default domain
    document.getElementById('submitButton').onclick = new Function("if (AddDefaultDomain()) return Login.submitLoginRequest();");
    document.getElementById('submitButton').onkeypress = new Function("if (event && event.keyCode == 13) { if (AddDefaultDomain()) Login.submitLoginRequest(); }");
    document.getElementById('loginForm').onkeypress = new Function("if (event && event.keyCode == 13) { if (AddDefaultDomain()) Login.submitLoginRequest(); }");
    

    -Jiri

    Friday, July 17, 2015 8:13 PM
  • Hi Jiri,

    Your implementation was close - the only problem is you need to return true either way. The return false line caused the click and keypress to do nothing at all - it made it so you can't sign in with the domain at all.

    Replacing 'return false' with 'return true' fixed it , it'll add the domain if there is no domain but still submit the login request either way.


    Thanks,
    James

    Thursday, October 15, 2015 7:10 PM
  • Microsoft has updated their own information with how to do this as well:

    https://technet.microsoft.com/en-us/library/dn636121.aspx

    :)

    Friday, October 23, 2015 7:00 PM