When using Fiddler Web Debugger to troubleshoot an AD FS 2.0 scenario, you are continuously prompted for credentials by the AD FS 2.0 Federation Server. This prompt comes in the form of a HTTP 401 challenge dialog box.


By default, AD FS 2.0 utilizes Extended Protection for Authentication (EPA) in IIS. When this is turned on, the client browser cannot successfully authenticate while Fiddler is proxying all requests.


For troubleshooting purposes, you should disable Extended Protection for Authentication in IIS by following one of these two options:

Option 1  - IIS Manager on each ADFS server in the farm
  • Start > Administrative Tools > IIS Manager
  • Expand: <server-name>, Sites, Default Web Site, and adfs
  • Select the ls application and double-click Authentication
  • Select Windows Authentication and select Advanced Settings....
  • Set Extended Protection to Off and click OK

Option 2  - Use PowerShell to set this at the farm level.  

  1. Open PowerShell Command Window
  2. Load ADFS PowerShell SnapIn
    Add-PsSnapIn Microsoft.Adfs.Powershell
  3. Set ADFS to disable EAP at the farm level
    Set-ADFSProperties -ExtendedProtectionTokenCheck:None
  4. Restart ADFS and IIS
    • IISReset
    • Net Stop ADFS
    • Net Start ADFS

You should now be able to successfully capture a Fiddler trace from an AD FS 2.0 scenario and credentials are accepted at the first HTTP 401 challenge.

Be sure to revert your changes once you are finished troubleshooting with Fiddler.