ExtendedProtectionTokenCheck setting keeps being disabled in AD FS 3.0 in Windows Server 2012 R2

View products that this article applies to.

Symptoms

Consider the following scenario:

You have an Active Directory Federation Services (AD FS) passive endpoint that is running Windows Server 2012 R2.
You enable the ExtendedProtectionTokenCheck setting in an AD FS 3.0 configuration.

In this scenario, the ExtendedProtectionTokenCheck setting is displayed as enabled when you view theAD FS properties by using the Get-ADFSProperties command. However, regardless of the setting, the current passive endpoints do not use the ExtendedProtectionTokenCheck setting.

↑ Back to the top

Resolution

To resolve this issue, install update rollup 2975719. For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:

2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about how to set the ExtendedProtectionTokenCheck setting

Set-ADFSProperties

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Applies to:

↑ Back to the top

Keywords: kbqfe, kbfix, kbsurveynew, kbexpertiseadvanced, kb

↑ Back to the top

Article Info

Article ID	:	2978096
Revision	:	1
Created on	:	1/7/2017
Published on	:	8/12/2014
Exists online	:	False
Views	:	271

Microsoft KB Archive Search

ExtendedProtectionTokenCheck setting keeps being disabled in AD FS 3.0 in Windows Server 2012 R2

Symptoms

Resolution

Status

More Information

Applies to: