Home/ Questions/Q 6202599
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T04:45:50+00:00

When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+

  • 0

When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+ running on Windows, then this results in a repeated sign-in dialog and finally sign-in failure, with ‘Audit Failure’ events with “Status: 0xc000035b”.

This can be ‘solved’ by switching off ‘Extended Protection’ for the “/adfs/ls” web application in IIS. This is documented in several places; see my answer to another StackOverflow question for details.

My question is: How can one make NTLM authentication to AD FS work for these browsers without switching off ‘Extended Protection’? I mean, in Internet Explorer this works fine with ‘Extended Protection’ on, why don’t Chrome or Firefox? Or is this a Chrome/Firefox implementation bug/restriction, e.g., in their use of the Windows NTLM library?

Update: I should have mentioned that I’d like to do this without forcing people to make changes in their browser settings.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    According to

    this is a Chrome / Firefox / Safari implementation restriction if

    • the client is running Windows 7 and the server has ExtendedProtectionTokenCheck set to
      Require or Allow
    • the client is running Windows XP or Vista – without appropriate updates(!) and the server has ExtendedProtectionTokenCheck set to
      Require

    Maybe you can suppress Extended Protection on your clients with this:
    http://support.microsoft.com/kb/976918/en-us

    […]
    To control the extended protection behavior, create the following
    registry subkey:
    Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
    Value Name: SuppressExtendedProtection
    Type: DWORD

    For Windows clients that support channel binding that are failing to
    be authenticated by non-Windows Kerberos servers that do not handle
    the CBT correctly:
    1. Set the registry entry value to “0x01.”
    This will
    configure Kerberos not to emit CBT tokens for unpatched applications.
    2. If that does not resolve the problem, then set the registry entry
    value to “0x03.”
    This will configure Kerberos never to emit CBT
    tokens.

    […]

    • 0