Fiddling with ADFS - end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting.

In short; If the web server has Extended Protection for Authentication enabled then it detects that the Channel Binding Token Fiddler is presenting to it doesn't match the one created by the original user during the session so it invalidates the credentials and requests authentication again (which loops endlessly).

The solution; Fiddle around with Fiddler internally and add the site you're having problems with specifically as a site that Fiddler is allowed to authenticate to on your behalf and add credentials to authenticate with against that site to the Fiddler config file (See Eric's MSDN article for details).

 

Details:

Fiddler and Channel Binding Tokens Revisited
http://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx

Extended Protection for Authentication - Microsoft Security Advisory (973811)
http://technet.microsoft.com/en-us/security/advisory/973811