none
Is disabling the ADFS ExtendedProtectionTokenCheck setting required for allowing Firefox and Chrome users to authenticate? RRS feed

  • Question

  • I have an ADFS 3.0 service that I have configured. As part of the configuration I followed a guide I found that allowed clients running Firefox and Chrome to authenticate.

    The first step in the guide is to disable the the ExtendedTokenProtectionCheck setting by changing it to None. TechNet defines this setting as:

    ExtendedProtectionTokenCheck

    Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client's credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients.

    Possible values for this setting are: as follows "Require" (server is full hardened, extended protection is enforced), "Allow" (server is partially hardened, extended protection is enforced where systems involved have been patched to support it) and "None" (Server is vulnerable, extended protection is not enforced). The default setting is "Allow".

    I initially tried adding the Mozilla/5.0 user agent without changing ExtendedProtectionTokenCheck but it wouldn't work until setting it to None.

    My concern is that because ADFS is a publically-exposed service, it's in our best interest to not disable a setting that would aid in preventing MITM attacks.

    Is there a way to allow Firefox and Chrome access to ADFS without disabling this check? 


    Thursday, March 12, 2015 9:04 PM

Answers

All replies

  • Consider using Forms Based authentication instead of Windows-Integrated authentication. That is what I did for our ADFS setup to make it work on all the browsers and devices without tweaking the configurations.

    More if you ask them here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, March 12, 2015 11:29 PM
  • Ahh, yes, that's a more appropriate forum. Perhaps a mod can move this thread?

    Actually, the preference is to use the login form. Do you happen to have a link to the documentation for configuring it this way?

    Thank you!


    Friday, March 13, 2015 2:35 AM
  • You can use the Form-based authentication by updating the file mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx

    It needs to be done on all the ADFS servers you have.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Friday, March 13, 2015 10:30 AM
  • Hi Jason,

    We are currently not able to move threads to MSDN forums without permission from Moderators there, my apologies for any inconvenience caused by this.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 19, 2015 3:43 AM
    Moderator