Planning Browser Support for AD FS

Lync Online and Office 365 are compatible with most modern web browsers, including Internet Explorer, Firefox, Chrome, and Safari. However, by default the use of SSO with Lync Online/Office 365 is dependent on a browser’s support for Extended Protection for Authentication, a feature that helps protect against man-in-the-middle attacks. If a browser does not support Extended Protection for Authentication, users will likely receive logon prompts on a regular basis when accessing Lync Online and other Office 365 services.

At the time of writing, several versions of Firefox, Chrome, and Safari did not support Extended Protection for Authentication; therefore, if these browsers are planned for Lync Online, some adjustments to the default configuration might be required. Following are two adjustments that can potentially be used to avoid logon problems for Lync Online users connecting with a browser that does not support Extended Protection for Authentication:

• The Extended Protection for Authentication setting can be disabled on AD FS 2.0 systems. To adjust this setting on a federation server, log in using an account with local administrator permissions, open Windows PowerShell, and execute the following command:

Set-ADFSProperties -ExtendedProtectionTokenCheck None

If multiple federation servers are used, the command must be executed on each federation server in the farm.

• The AD FS 2.0 web page on each federation server can be reconfigured to use forms-based authentication instead of integrated Windows authentication. The implications of such a change should be carefully considered before this adjustment is made, because this will affect all Lync Online/Office 365 users, regardless of the browser being used. If it is determined that this change will be made, the AD FS documentation on Technet should be consulted for specific procedures to be used.