Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

NTLM authentication to AD FS for non-IE browser without 'Extended Protection' switched off?

Tags:

google-chrome

firefox

adfs2.0

ntlm

adfs

When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+ running on Windows, then this results in a repeated sign-in dialog and finally sign-in failure, with 'Audit Failure' events with "Status: 0xc000035b".

This can be 'solved' by switching off 'Extended Protection' for the "/adfs/ls" web application in IIS. This is documented in several places; see my answer to another StackOverflow question for details.

My question is: How can one make NTLM authentication to AD FS work for these browsers without switching off 'Extended Protection'? I mean, in Internet Explorer this works fine with 'Extended Protection' on, why don't Chrome or Firefox? Or is this a Chrome/Firefox implementation bug/restriction, e.g., in their use of the Windows NTLM library?

Update: I should have mentioned that I'd like to do this without forcing people to make changes in their browser settings.

like image 289
MarnixKlooster ReinstateMonica Avatar asked Jun 10 '11 16:06

MarnixKlooster ReinstateMonica

People also ask

Does ADFS support NTLM?

ADFS allows clients to authenticate using NTLM authentication through the WIA mechanism, which I discovered is identical to the MS-NTHT [1] (NTLM over HTTP) authentication protocol.

What is NTLM authentication in Active Directory?

The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

How do I force NTLM authentication?

Click down to “Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Find the policy “Network Security: LAN Manager authentication level”. Right click on this policy and choose “Properties”. Choose “Send NTLMv2 response only/refuse LM & NTLM”.

Is NTLM the same as Windows authentication?

NTLM (Windows Challenge/Response) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

1 Answers

According to

  • http://technet.microsoft.com/en-us/library/hh237448(v=ws.10).aspx
  • http://support.microsoft.com/kb/2461628/en-us

this is a Chrome / Firefox / Safari implementation restriction if

  • the client is running Windows 7 and the server has ExtendedProtectionTokenCheck set to Require or Allow
  • the client is running Windows XP or Vista - without appropriate updates(!) and the server has ExtendedProtectionTokenCheck set to Require

Maybe you can suppress Extended Protection on your clients with this: http://support.microsoft.com/kb/976918/en-us

[...]
To control the extended protection behavior, create the following registry subkey:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: SuppressExtendedProtection
Type: DWORD

For Windows clients that support channel binding that are failing to be authenticated by non-Windows Kerberos servers that do not handle the CBT correctly:
1. Set the registry entry value to “0x01.”
This will configure Kerberos not to emit CBT tokens for unpatched applications.
2. If that does not resolve the problem, then set the registry entry value to “0x03.”
This will configure Kerberos never to emit CBT tokens.

[...]

like image 178
oleschri Avatar answered Sep 20 '22 23:09

oleschri
Sign in to Comment

Related questions

CSS display:flex align-items:baseline not working in Firefox
how to make screen readers read entire page when angular changes states?
Post back not working in Firefox for asp.net(C#) pages
How to view this svg file on a Mac?
WebRTC: Renegotiation in firefox
Firefox disable the add on I'm developing
new Date() shows differents results in Chrome or Firefox
Browser support for class syntax in Javascript [duplicate]
How to test an unsigned Firefox extension?
Firefox: calc() invalid property value
CORS issue with Spring Boot
1px calculation issue with browsers (sub-pixel problems)
visiblity:hidden of table-cell hides background-color of parent table-row
How to perform a background load and scraping of a page with XUL/Firefox Extension
how to set a cookie in the address bar?
Alternative to Fiddler? [closed]
Can you get a list of Firefox add-ons programmatically
HTML5 LocalStorage size
Why is box sizing set to border-box for tables in Firefox?
Detect when scrollable div is "focused" in Firefox?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!