Cause 1: Maybe Kerberos authentication is not working in your machine. Check if your Internet Explorer is working with WIA/IWA following the Internet Explorer configuration in the official documentation: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-iwa#internet-explorer-configuration
Cause 2: The user-agent header sent to ADFS is not registered as one of WIASupportedUserAgents (https://docs.microsoft.com/es-es/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia). In this case, ADFS replies sending to the KLA a simple HTML Form and WIA process cannot start.
As a solution, you have to indicate in the KLA configuration screen the “User-Agent to send during HTTP authentication” with one of the User-agent strings that are configured in your ADFS. You can ask it to your ADFS administrator.
Cause 3: During the Single-Sign-On authentication process, the requests to the IDP is passing through a proxy. If Extended Protection is enabled in your ADFS, some proxies can cause that ADFS rejects the credentials.
If your IDP is located in the local intranet, you may need to add the IDP’s hostname in the list of No Proxy Hosts to avoid passing through the proxy when KLA tries to authenticate against your IDP.