epa

howto://disable epa in adfs for o365

So you’ve well on your way towards moving your email to the cloud and you’re loving the awesomeness of Office 365. You have DirSync working, and ADFS up and running, and everything looks great until some yahoo tries to use Chrome or Firefox and gets spanked with a big ol’ DENIED. You probably use those browsers too, and at home, going through the ADFS proxies you have no problem, but further investigation shows that no one can use any browser on the internal network except IE. You do some digging around and have already figured out that its Extended Protection for Authentication that is smacking you down.

You’ve probably also found the TechNet article on turning that off with what appears to be a simple PowerShell command. Did you waste an hour trying to debug the error message before you realised you have to import the PowerShell cmdlets for ADFS first? Did you then try to figure out why the article tells you to run it on every server, only to hit an error telling you it only has to be run on the primary? Want to know how to fix it for realz?

So here’s a couple of assumptions you want to make sure you’re square with. If not, YMMV. In my environment, I deployed an

  • ADFS WID farm using the O365 version of ADFS
  • Installed it on 2008R2
  • My FS-Ps are also running 2008R2. Publishing through TMG applies here to.
  • ADFS is running with RU1
  • I am running several federated namespaces with -SupportMultipleDomain
  • Using IE, everything works as expected
  • Using Chrome and Firefox, neither of those browsers could authenticate internally. They get the authentication pop up repeatedly until cancelled, then the unauthorized page.
  • Externally, Chrome and Firefox work just fine. So too does IE.

First, I tried the instructions here http://technet.microsoft.com/en-us/library/hh237448(WS.10).aspx. That article says to run this PowerShell command

Set-ADFSProperties –ExtendedProtectionTokenCheck None

on each server in the farm. After opening PowerShell and importing the ADFS cmdlets, the cmd appears to work. If I then do a Get-ADFSProperties | fl I can see that the setting for EPA token check is none. When I try to run it on the other servers (per the instructions) they error that it only needs to be run on the primary. Testing, users with FF or Chrome still hit the endless loop of auth prompts…the setting didn’t take effect. Restarting ADFS, performing an iisreset, even rebooting…no effect.

Below is what to do, at least on the O365 version of ADFS running on 2008R2. This is quick, instant, and only needs to be done on the ADFS servers, not on the proxies.

  1. Log onto the ADFS server with administrative credentials.
  2. Launch the IIS Management Console
  3. Browse down to Default Web Site, adfs, ls.
    image
  4. Select ls, then double-click on Authentication, select Windows Authentication, then click Advanced Settings…

image

5. From the drop down box for Extended Protection: select Off.

image

6. Click OK. This setting takes effect immediately. No iisreset, no restarting ADFS, it just works. Yay.

Try out those third party browsers, and squee with delight that they work! Now, in all seriousness, EPA is a good thing, and you really ought to consider requiring it, and telling users internally to use IE for access to O365 services, but if that won’t cut it, this is the next best thing. You might even say it’s the sweetest thing.


Direct link for RSS and email subscribers…http://youtu.be/5WybiA263bw

Did this solve your boggle? Leave a comment to let me know, and if you tweet, how’s about a follow? It costs you nothing, and keeps the voices in my head from yelling at me too much.