Disable Extended Protection in ADFS 2.0 (for Office 365) to allow IE, Google Chrome and Firefox to Authenticate Using NTLM

Posted on July 1, 2012 at 3:43 pm

You must disable Extended Protection in ADFS 2.0 (Office 365 SSO) to allow IE, Google Chrome and Firefox to Authenticate Using NTLM when using reverse proxies such as TMG and UAG…or external employee access.  Read about the security implications of disabling Extended Protection, you can read the Microsoft security advisory here.

In the past, this was a manual process on each server in the farm (for example, this process). ADFS 2.0 requires you to disable IIS Windows extended protection on the ADFS virtual directory “LS”.

This can now be set via PowerShell at the farm level easily using PowerShell.

  1. Open PoweShell Command Window
  2. Load ADFS Poweshell SnapIn
    Add-PsSnapIn Microsoft.Adfs.Powershell
  3. Set ADFS to diable EAP at the farm level
    Set-ADFSProperties -ExtendedProtectionTokenCheck:None
  4. Restart ADFS and IIS
    • IISReset
    • Net Stop ADFS
    • Net Start ADFS

Hope this helps!

PS – Uploaded to the wiki here.

Leave a comment

or

Learn More Today

Have questions or want to learn more about the services and solutions AgileIT has to offer?

Schedule a call with us today!

X

Leave us a message!