For troubleshooting purposes, you should disable Extended Protection for Authentication in IIS by following one of these two options:
This can now be set via PowerShell at the farm level easily using PowerShell.
Open PoweShell Command Window
Load ADFS Poweshell SnapIn
Set ADFS to diable EAP at the farm level
Restart ADFS and IIS
Net Stop ADFS
Net Start ADF
You should now be able to successfully capture a Fiddler trace from an AD FS 2.0 scenario and credentials are accepted at the first HTTP 401 challenge.
Be sure to revert your changes once you are finished troubleshooting with Fiddler.
We tried to follow the solution but was unable to find the "Extended Protection" setting on our Windows Server 2008 server. According to this post on iis.net:
, the setting was introduced in IIS 7.5. Is there a way to use Fiddler with ADFS that's running IIS 7?
I saw this issue when testing with ADFS and Fiddler on the idpInitiatedSignOn.aspx page. After authenticating to the ADFS site, if Fiddler was already running I would keep getting the credential login box and my credentials would not work. I got around this by checking the "Remember me" box. This way when I choose my relying party it does not try to re-authenticate me.
I put together a blog post on tracing an ADFS response using Fiddler with some screenshots and a few other hints: msinnovations.wordpress.com/.../using-fiddler-to-trace-a-saml-idp-request-from-adfs-2-0.
FYI, a better workaround for this issue will be available in Fiddler v22.214.171.124. blogs.msdn.com/.../fiddler-https-decryption-and-channel-binding-token-authentication-problems.aspx