ExtendedProtectionTokenCheck setting keeps being disabled in AD FS 3.0 in Windows Server 2012 R2

Symptoms

Consider the following scenario:

  • You have an Active Directory Federation Services (AD FS) passive endpoint that is running Windows Server 2012 R2.

  • You enable the ExtendedProtectionTokenCheck setting in an AD FS 3.0 configuration.

In this scenario, the ExtendedProtectionTokenCheck setting is displayed as enabled when you view theAD FS properties by using the Get-ADFSProperties command. However, regardless of the setting, the current passive endpoints do not use the ExtendedProtectionTokenCheck setting.

Resolution

To resolve this issue, install update rollup 2975719. For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:

2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


For more information about how to set the ExtendedProtectionTokenCheck setting

Set-ADFSPropertiesFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×