Consider the following scenario:
You have an Active Directory Federation Services (AD FS) passive endpoint that is running Windows Server 2012 R2.
You enable the ExtendedProtectionTokenCheck setting in an AD FS 3.0 configuration.
In this scenario, the ExtendedProtectionTokenCheck setting is displayed as enabled when you view theAD FS properties by using the Get-ADFSProperties command. However, regardless of the setting, the current passive endpoints do not use the ExtendedProtectionTokenCheck setting.
To resolve this issue, install update rollup 2975719. For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:
2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about how to set the ExtendedProtectionTokenCheck setting
Set-ADFSPropertiesFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates