We need to turn off EPA at the client level to get some of our apps to work in Chrome using Windows integrated authentication using ADFS 2.1 as Chrome doesn't support EPA. This applies to the Office 365 portal as well as some apps we wrote ourselves that use SAML.
As per https://support.microsoft.com/en-us/kb/976918 we've set
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: SuppressExtendedProtection
Type: DWORD
to 0x01 and it works on windows 7 / IE9. Doesn't even require a reboot, just to restart Chrome.
This doesn't work on windows 8.1 / IE11.
Some questions:
- no mention anywhere of whether EPA applies on Win 8. All MS article about EPA refer back to the base KB for XP /2003 (https://support.microsoft.com/en-us/kb/968389).
- does SuppressExtendedProtection work on Win8.1
are the registry values 0,1 and 3 or 0, "0x01." and "0x03." as suggested in the KB976918. (you can't type these in - you have to paste them in and the reg editor converts them to some other hex value...)