In our organization we recently faced some issues with some of our Chromebooks (we use the HP branded ones). It turned out that all of those Chromebooks were in the beta channel. And at the time of writing they have gotten Google’s most recent Chrome update 80. We are using ADFS (Acitve Directory Federation Services) for federated login to our organization.
On our ADFS configuration we enabled WIA (Windows Integrated Authentication). As it turns out older Chromebooks worked fine with this type of configuration. But the more recent SameSite cookie changes in Chrome 80 seem to have broken this functionality.
Microsoft has provided some hotfixes to make ADFS compatible with the SameSite cookie change Google has announced. Microsoft provides the following hotfixes (depending on your WIndows version):
Though these hotfixes are required to make Chrome 80 work with ADFS, they do not seem to fix the problem we are facing with our Chromebooks. All our systems were up-to-date at the time of testing.
Fixing ADFS authentication on Chromebooks with Chrome 80
After a lot of digging and troubleshooting, we decided to disable WIA authentication for ChromeOS devices. This will force the user to login to a form based authentication. In order to disable WIA for ChromeOS devices only, and not for WIndows Chrome logins we issued the following command (using an elevated WIndows PowerShell console):
Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "MS_WorkFoldersClient", "=~Windows\sNT.Edge", "Edge/12", "=~Windows\sNT.Chrome")
This command disables WIA authentication for Chromebooks, but keeps it alive for Windows machines.