Menu
When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+ running on Windows, then this results in a repeated sign-in dialog and finally sign-in failure, with 'Audit Failure' events with "Status: 0xc000035b".
This can be 'solved' by switching off 'Extended Protection' for the "/adfs/ls" web application in IIS. This is documented in several places; see my answer to another StackOverflow question for details.
My question is: How can one make NTLM authentication to AD FS work for these browsers without switching off 'Extended Protection'? I mean, in Internet Explorer this works fine with 'Extended Protection' on, why don't Chrome or Firefox? Or is this a Chrome/Firefox implementation bug/restriction, e.g., in their use of the Windows NTLM library?
Update: I should have mentioned that I'd like to do this without forcing people to make changes in their browser settings.
289
ADFS allows clients to authenticate using NTLM authentication through the WIA mechanism, which I discovered is identical to the MS-NTHT [1] (NTLM over HTTP) authentication protocol.
The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.
Click down to “Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Find the policy “Network Security: LAN Manager authentication level”. Right click on this policy and choose “Properties”. Choose “Send NTLMv2 response only/refuse LM & NTLM”.
NTLM (Windows Challenge/Response) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
According to
this is a Chrome / Firefox / Safari implementation restriction if
ExtendedProtectionTokenCheck set to
Require or Allow
ExtendedProtectionTokenCheck set to
Require
Maybe you can suppress Extended Protection on your clients with this: http://support.microsoft.com/kb/976918/en-us
[...]
To control the extended protection behavior, create the following registry subkey:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: SuppressExtendedProtection
Type: DWORDFor Windows clients that support channel binding that are failing to be authenticated by non-Windows Kerberos servers that do not handle the CBT correctly:
1. Set the registry entry value to “0x01.”
This will configure Kerberos not to emit CBT tokens for unpatched applications.
2. If that does not resolve the problem, then set the registry entry value to “0x03.”
This will configure Kerberos never to emit CBT tokens.[...]
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
