For troubleshooting purposes, you should disable Extended Protection for Authentication in IIS by following one of these two options:
Option 2 - Use PowerShell to set this at the farm level.
Open PowerShell Command Window Load ADFS PowerShell SnapIn
Add-PsSnapIn Microsoft.Adfs.Powershell Set ADFS to disable EAP at the farm level
Set-ADFSProperties -ExtendedProtectionTokenCheck:None Restart ADFS and IIS
IISReset Net Stop ADFS Net Start ADFS
You should now be able to successfully capture a Fiddler trace from an
AD FS 2.0 scenario and credentials are accepted at the first HTTP 401 challenge.
Be sure to revert your changes once you are finished troubleshooting with Fiddler.
We tried to follow the solution but was unable to find the "Extended Protection" setting on our Windows Server 2008 server. According to this post on iis.net:
, the setting was introduced in IIS 7.5. Is there a way to use Fiddler with ADFS that's running IIS 7?
I saw this issue when testing with ADFS and Fiddler on the idpInitiatedSignOn.aspx page. After authenticating to the ADFS site, if Fiddler was already running I would keep getting the credential login box and my credentials would not work. I got around this by checking the "Remember me" box. This way when I choose my relying party it does not try to re-authenticate me.
I put together a blog post on tracing an ADFS response using Fiddler with some screenshots and a few other hints: msinnovations.wordpress.com/.../using-fiddler-to-trace-a-saml-idp-request-from-adfs-2-0.
FYI, a better workaround for this issue will be available in Fiddler v126.96.36.199. blogs.msdn.com/.../fiddler-https-decryption-and-channel-binding-token-authentication-problems.aspx
net stop adfssrv