AD FS 2.0: Continuously Prompted for Credentials While Using Fiddler Web Debugger

AD FS 2.0: Continuously Prompted for Credentials While Using Fiddler Web Debugger


When using Fiddler Web Debugger to troubleshoot an AD FS 2.0 scenario, you are continuously prompted for credentials by the AD FS 2.0 Federation Server. This prompt comes in the form of a HTTP 401 challenge dialog box.


By default, AD FS 2.0 utilizes Extended Protection for Authentication (EPA) in IIS. When this is turned on, the client browser cannot successfully authenticate while Fiddler is proxying all requests.


For troubleshooting purposes, you should disable Extended Protection for Authentication in IIS by following one of these two options:

Option 1  - IIS Manger on each ADFS server in the farm
  • Start > Administrative Tools > IIS Manager
  • Expand: <server-name>, Sites, Default Web Site, and adfs
  • Select the ls application and double-click Authentication
  • Select Windows Authentication and select Advanced Settings....
  • Set Extended Protection to Off and click OK

This can now be set via PowerShell at the farm level easily using PowerShell.  

  1. Open PoweShell Command Window
  2. Load ADFS Poweshell SnapIn
    Add-PsSnapIn Microsoft.Adfs.Powershell
  3. Set ADFS to diable EAP at the farm level
    Set-ADFSProperties -ExtendedProtectionTokenCheck:None
  4. Restart ADFS and IIS
    • IISReset
    • Net Stop ADFS
    • Net Start ADFS

You should now be able to successfully capture a Fiddler trace from an AD FS 2.0 scenario and credentials are accepted at the first HTTP 401 challenge.

Be sure to revert your changes once you are finished troubleshooting with Fiddler.

Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
  • Agile IT - John edited Revision 1. Comment: Powershell steps

Page 1 of 1 (1 items)
Wikis - Comment List
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Page 1 of 1 (5 items)