Back

Disable Extended Protection in ADFS 2.0 for NTLM

You must disable Extended Protection in ADFS 2.0 (Office 365 SSO) to allow IE, Google Chrome and Firefox to Authenticate Using NTLM when using reverse proxies such as TMG and UAG…or external employee access. To learn about the security ...

1 min read
Published on Jul 1, 2012
Disable Extended Protection in ADFS 2.0 for NTLM

You must disable Extended Protection in ADFS 2.0 (Office 365 SSO) to allow IE, Google Chrome and Firefox to Authenticate Using NTLM when using reverse proxies such as TMG and UAG…or external employee access. To learn about the security implications of disabling Extended Protection, you can read the Microsoft security advisory here.

In the past, this was a manual process on each server in the farm (for example, this process). ADFS 2.0 requires you to disable IIS Windows extended protection on the ADFS virtual directory “LS”.

This can now be set via PowerShell at the farm level easily using PowerShell.

  1. Open PoweShell Command Window
  2. Load ADFS Poweshell SnapIn Add-PsSnapIn Microsoft.Adfs.Powershell
  3. Set ADFS to diable EAP at the farm level Set-ADFSProperties -ExtendedProtectionTokenCheck
  4. Restart ADFS and IIS
    • IISReset
    • Net Stop ADFS
    • Net Start ADFS

Hope this helps!

PS – Uploaded to the wiki here.

Looking for further help? Please check us out for your Managed Service or Cloud Consulting needs.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Assessing Readiness for GCC High Migration

Assessing Organizational Readiness for GCC High Migration

Is your organization ready for GCC High? Learn how to assess your technical, operational, and compliance readiness before migrating to Microsoft 365 GCC High.

Aug 6, 2025
6 min read
Steps to Plan a Successful GCC High Migration

Steps to Plan a Successful GCC High Migration

Learn the essential steps to plan and execute a successful Microsoft 365 GCC High migration—ensuring compliance, security, and operational continuity.

Aug 5, 2025
6 min read
How to Prepare for a GCC High Migration

How to Prepare for a GCC High Migration

Preparing for a Microsoft 365 GCC High migration? Explore the technical, compliance, and operational steps required for a smooth transition to GCC High.

Jul 31, 2025
7 min read
CMMC Documentation Requirements: Avoid Assessment Failure

GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

Strong documentation is critical to CMMC success. Learn the key evidence assessors expect and how to avoid common documentation failures.

Jul 24, 2025
5 min read
Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation