NTLM authentication to AD FS for non-IE browser without 'Extended Protection' switched off?

Question

When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+ running on Windows, then this results in a repeated sign-in dialog and finally sign-in failur

Answer 1

Extended Protection was designed to prevent kerberos ticket replay attacks.

As I understand it, it works in IE because the default for ADFS is Windows Integrated Authentication which IE handles "under the hood".

When I investigated this a while back, if I remember correctly, there is a workaround for Firefox.

Answer 2

According to

• http://technet.microsoft.com/en-us/library/hh237448(v=ws.10).aspx
• http://support.microsoft.com/kb/2461628/en-us

this is a Chrome / Firefox / Safari implementation restriction if

• the client is running Windows 7 and the server has ExtendedProtectionTokenCheck set to Require or Allow
• the client is running Windows XP or Vista - without appropriate updates(!) and the server has ExtendedProtectionTokenCheck set to Require

Maybe you can suppress Extended Protection on your clients with this: http://support.microsoft.com/kb/976918/en-us

[...]
To control the extended protection behavior, create the following registry subkey:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: SuppressExtendedProtection
Type: DWORD

For Windows clients that support channel binding that are failing to be authenticated by non-Windows Kerberos servers that do not handle the CBT correctly:
1. Set the registry entry value to “0x01.”
This will configure Kerberos not to emit CBT tokens for unpatched applications.
2. If that does not resolve the problem, then set the registry entry value to “0x03.”
This will configure Kerberos never to emit CBT tokens.

[...]