Managing Federation Services–Creating a GPO to support ADFS Single Sign-on

In this Tutorial we are going over the process to create a Group Policy to be applied to user objects, and this policy will add the Federation Servers in the Local Intranet in Internet Explorer.

There are several ways to configure Internet Explorer settings and we are going to use the registry to add the required information, this method it may seem a little bit complicated however it works with all versions of Internet Explorer and it doesn’t create issues with the existent information that the user may have added to his profile.


In order to have the single sign-on between the on-premises and the Microsoft Azure we need to configure the internal Active Directory Federation Services (ADFS) in the Local Intranet in the Internet Explorer settings for the internal clients. It makes a lot of sense because in the Local Intranet settings by default we have the option Automatic logon only in Intranet zone which means if we have a site there (and we will be adding our Federation Server) then the local credentials will be used which makes the single sign-on happen!


We can do that manually for each of our clients, and to configure manually we can open Internet Options, then click on Security tab, select Local Intranet and click on Sites. In the new window, click on Advanced, and finally add the FQDN of the Federation Server (in our Tutorial the name that we defined during the configuration is In the figure below you can follow the entire process to configure manually.


Creating a new Group Policy

Well, manual process is good for testing and validation but a Group Policy will make all the difference. In order to create a new Group Policy for the domain, logged on a Domain Controller open the Group Policy Management Console, and right click at the domain level or OU level and then click on Create a GPO in this domain, and Link it here…


We will label this policy as GLOBAL-Microsoft Azure Integration and then click OK.


Let’s Edit the newly created Group Policy. Expand User Configuration, Preferences, Windows Settings, and select Registry item. Right click on the right side, click on New and finally Registry Item.


Based on our steps so far this Group Policy will be applied to users objects, so make sure that you associate this Group Policy to an OU that has users on it, or at the domain level.

Since we are using the registry to add the site to the Local Intranet area of Internet Explorer we need to understand how to build the string that we will be adding in the new window. As mentioned earlier our Federation Server is The value of Key Path is where we define the address, and it is formed of 3 variables. The first piece of information is static and we just need to copy and paste the information listed below.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains

After that we need to add to the same string, the portion of the domain (just the domain), in our case we will be adding and finally the host itself which in our case is adfs

The final string will be like this one:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsapatricio.infoadfs

The other fields that must be filled out are easier to understand. The Value name could have the values: http or https; in our case must be https. The last field is Value Data and that can have the value of 1 which means that is Local Intranet or 2 which means Trusted Sites.

Adding all pieces together we will end up with something like the figure below.



In this Tutorial we went over the process to create a Group Policy that will be applied to user objects and this Group Policy will add the Federation Server in the Local Intranet area of Internet Explorer and that will make the single sign-on process a breeze for your end-users.