WarningThe following steps disable Extended Protection for Authentication. This feature can help reduce the risk for “man in the middle” kinds of attacks. For more information about this feature and the protection it provides for credential handling see
Microsoft Security Advisory (973811).
The following steps disable the Extended Protection for Authentication feature on the computer running Firefox or Chrome.
1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
2. In the
Lsa subkey, locate the
SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click
Lsa, point to
New, and then click
DWORD (32-bit) Value. Type
SuppressExtendedProtection, and then press ENTER.
3. Right-click
SuppressExtendedProtection, click
Modify, and enter
1 (REG_DWORD).
4. Click
OK and close Registry Editor.
5. Repeat for each computer that experiences the issue when you run Firefox or Chrome and Microsoft Dynamics CRM.
After the change is made, the following behavior occurs.
· Chrome web browsers will no longer continue to prompt after the initial sign in.
· Firefox web browsers will prompt up to two additional occasions after the initial sign in.
Alternatively, you can disable the Extended Protection for Authentication feature in AD FS 2.0. Notice that disabling Extended Protection for Authentication feature in AD FS 2.0 will disable the feature for all clients that are authenticated by the federation server. For more information about how to disable the Extended Protection for Authentication feature on the AD FS 2.0 federation server, see
Configuring Advanced Options for AD FS 2.0. For more information about this issue when using Office 365, see
A federated user is repeatedly prompted for credentials when they connect to the AD FS 2.0 service endpoint during Office 365 sign-in.