Tracing ADFS requests/responses using Fiddler: repeated credentials prompts issue


If when using Fiddler to trace requests and responses to ADFS you keep getting prompted for credentials the reason might be “Extended protection” enabled for Windows Authentication for ADFS endpoint you are using.

What is happening is well described here:

At times you may see ADFS repeatedly prompting for credentials, this could be related to “Extended protection” that is enabled for Windows Authentication for the ADFS/LS application. In IIS when Extended Protection for Windows Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server to which the client tries to connect and to the outer Transport Layer Security (TLS) channel over which Integrated Windows Authentication happens. Extended protection enhances the existing Windows Authentication functionality to mitigate authentication relay or “man in the middle” attacks. Certain browsers/fiddler cannot work with “Extended protection”, it would throw repeated prompts followed by access denied. Disabling “Extended protection” helps is such scenario.

You may also be interested in reading this blog post:

http://blogs.msdn.com/b/fiddler/archive/2010/10/15/fiddler-https-decryption-and-channel-binding-token-authentication-problems.aspx

and this other post:

https://msinnovations.wordpress.com/2011/05/24/using-fiddler-to-trace-a-saml-idp-request-from-adfs-2-0/

On ADFS 2.0 you may disable “Extended protection” as described here or on ADFS 2.0, 2.1 and 3.0 you may use the following powershell command:

  Set-ADFSProperties –ExtendedProtectionTokenCheck None

as described here.

 


Comments (0)

Skip to main content