For troubleshooting purposes, you should disable Extended Protection for Authentication in IIS by following one of these two options:
This can now be set via PowerShell at the farm level easily using PowerShell.
Open PoweShell Command Window Load ADFS Poweshell SnapIn Add-PsSnapIn Microsoft.Adfs.Powershell Set ADFS to diable EAP at the farm level Set-ADFSProperties -ExtendedProtectionTokenCheck:None Restart ADFS and IIS IISReset Net Stop ADFS Net Start ADFS
You should now be able to successfully capture a Fiddler trace from an AD FS 2.0 scenario and credentials are accepted at the first HTTP 401 challenge.
Be sure to revert your changes once you are finished troubleshooting with Fiddler.
Agile IT - John edited Revision 1. Comment: Powershell steps
FYI, a better workaround for this issue will be available in Fiddler v2.3.6.1. blogs.msdn.com/.../fiddler-https-decryption-and-channel-binding-token-authentication-problems.aspx
I put together a blog post on tracing an ADFS response using Fiddler with some screenshots and a few other hints: msinnovations.wordpress.com/.../using-fiddler-to-trace-a-saml-idp-request-from-adfs-2-0.
I saw this issue when testing with ADFS and Fiddler on the idpInitiatedSignOn.aspx page. After authenticating to the ADFS site, if Fiddler was already running I would keep getting the credential login box and my credentials would not work. I got around this by checking the "Remember me" box. This way when I choose my relying party it does not try to re-authenticate me.
Hello,
We tried to follow the solution but was unable to find the "Extended Protection" setting on our Windows Server 2008 server. According to this post on iis.net:
www.iis.net/.../extendedProtection
, the setting was introduced in IIS 7.5. Is there a way to use Fiddler with ADFS that's running IIS 7?
Thanks,
Martin