You deploy an Active Directory Federation Services (AD FS) infrastructure. The infrastructure uses Active
Directory as the attribute store. All servers run Windows Server 2012 R2.
Some users report that they fail to authenticate to the AD FS infrastructure.
You discover that only users who run third-party web browsers experience issues.
You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully.
Which Windows PowerShell command should you run?
A.
Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00
B.
Set-ADFSProperties -AddProxyAuthenticationRulesNone
C.
Set-ADFSProperties -SSOLifetime 1:00:00
D.
Set-ADFSProperties -ExtendedProtectionTokenCheck None
Explanation:
Certain client browser software, such as Firefox, Chrome, and Safari, do not support the Extended Protectionfor Authentication capabilities that can be used across the Windows platform to protect against man-in-themiddle attacks. To prevent this type of attack from occurring over secure AD FS communications, AD FS 2.0
enforces (by default) that all communications use a channel binding token (CBT) to mitigate against this threat.
Note: Disable the extended Protection for authentication
To disable the Extended Protection for Authentication feature in AD FS 2.0
On a federation server, login using the Administrator account, open the Windows PowerShell command
prompt, and then type the following command:
Set-ADFSProperties –ExtendedProtectionTokenCheck None
Repeat this step on each federation server in the farm.
Configuring Advanced Options for AD FS 2.0