NTLM authentication to AD FS for non-IE browser without 'Extended Protection' switched off?

Question

When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+ running on Windows, then this results in a repeated sign-in dialog and finally sign-in failur

Answer 1

Extended Protection was designed to prevent kerberos ticket replay attacks.

As I understand it, it works in IE because the default for ADFS is Windows Integrated Authentication which IE handles "under the hood".

When I investigated this a while back, if I remember correctly, there is a workaround for Firefox.