Allow server detection of Integrated Windows Authentication (IWA) support
Allow detection (from server side) of web clients which are being managed by domain and for which we know the IWA authentication (SPNEGO, NTLM, Kerberos) is available.
The goal is to send IWA authentication request only to supported web clients, but NOT for web clients in which it is not handled (non domain edge, mobile and such) as sending a status code 401 + WWW-Authenticate HTTP header for those client leads to a very bad user experience with a login popup. Users with a web client without IWA support are proposed other classic authentication methods.
In previous IE version, such goal could be met by using a GPO to deploy a custom IE Post Platform user agent string. This value is added in the UA string and can be detected on the remote server to send IWA request only to those web client.
For example :
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
As a suggestion : a possible implementation could be an Edge option (also available through GPO) that would send some information (eg a custom header) to "Local intranet" websites informing them that IWA is supported.
Thomas Glatzer commented
This idea is 2 years old and still no comment from the team - can we at least get Feedback, if this is considered?
Olivier Jaquemet commented
A kludge and temporary workaround should anybody need this : There is a GPO for Edge which allows intranet site to be redirected to IE11. This way you can still use custom UA detection.
Of course Edge being the next generation browser, I hope this feature gets accepted so users can benefit from Edge in all circumstances.