Resolve Problems Using ADFS with Chrome or Firefox Browsers

If Microsoft Active Directory Federation Services (ADFS) appears to be working with Internet Explorer but problems occur when using Chrome, Firefox, Safari, or other browsers (example: Continuously seeing the ADFS login prompt), the ExtendedProtectionTokenCheck on the ADFS server might need to be disabled.

Disabling this feature lessens security somewhat against man-in-the-middle attacks. If turning off this feature is not acceptable (check with your AD/ADFS administrator), Internet Explorer might be the only browser available.

This feature is disabled only on the ADFS server; Users do not have to change anything with their browser.

This topic applies to versions of ADFS that are currently supported by Microsoft.

To disable the ExtendedProtectionTokenCheck on the ADFS server:

  1. Open the Windows PowerShell window (under Administrative Tools).
  2. Provide the following command: Set-ADFSProperties -ExtendedProtectionTokenCheck None.
  3. Close the PowerShell window.
  4. Open the Internet Information Services (IIS) Manager (under Administrative Tools).
  5. Expand Web Server node (left side), and then expand Sites > Default Web Site > adfs. Select ls node.
  6. Double-click Authentication under IIS.
  7. Right-click Windows Authentication, and then select Advanced Settings.
  8. Change the selection under Extended Protection to Off.
  9. Close the IIS Manager.
  10. Restart both the IIS and ADFS Services.