Disable Extended Protection in ADFS 2.0 (for Office 365) to allow IE, Google Chrome and Firefox to Authenticate Using NTLM

    You must disable Extended Protection in ADFS 2.0 (Office 365 SSO) to allow IE, Google Chrome and Firefox to Authenticate Using NTLM when using reverse proxies such as TMG and UAG…or external employee access. To learn about the security implications of disabling Extended Protection, you can read the Microsoft security advisory here.

    In the past, this was a manual process on each server in the farm (for example, this process). ADFS 2.0 requires you to disable IIS Windows extended protection on the ADFS virtual directory “LS”.

    This can now be set via PowerShell at the farm level easily using PowerShell.

    1. Open PoweShell Command Window
    2. Load ADFS Poweshell SnapIn Add-PsSnapIn Microsoft.Adfs.Powershell
    3. Set ADFS to diable EAP at the farm level Set-ADFSProperties -ExtendedProtectionTokenCheck
    4. Restart ADFS and IIS
      • IISReset
      • Net Stop ADFS
      • Net Start ADFS

    Hope this helps!

    PS – Uploaded to the wiki here.

    Looking for further help? Please check us out for your Managed Service or Cloud Consulting needs.

    Published on: .

    This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

    How can we help?


    Let's start a conversation

    location Agile IT Headquarters
    4660 La Jolla Village Drive #100
    San Diego, CA 92122

    telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

    Don’t want to wait for us to get back to you?