The official line from Microsoft is, if you decide to support integrated authentication with Safari / Chrome, then turn off the channel binding token a.k.a. extended protection for IWA.
Alternately you could perhaps deploy client SSL certificates to some of those devices. It's debatable whether IWA is necessarily more secure then FBA, considering that in either event some classes of users will be more-or-less blindly typing credentials into a challenge dialog. It's an improvement at the protocol level but maybe even in the larger sense. --Steve On Fri, Feb 22, 2013 at 4:16 PM, Kennedy, Jim <[email protected]> wrote: > I have been down this road and I would be comfortable with either solution. > From an end user standpoint 1 would be my choice. > > > > From: David Lum [mailto:[email protected]] > Sent: Friday, February 22, 2013 3:16 PM > To: NT System Admin Issues > Subject: IIS security / Chrome Firefox / ADFS > > > > I’ve been asked to use one of these two solutions to fix an ADFS/Chrome > browser issue. I am not very ISS/security savvy, what are the security > implications of each? > > > > http://blogs.microsoft.co.il/blogs/applisec/archive/2012/07/16/chrome-support-for-acs-with-adfs-2-0-identity-provider.aspx > > > > David Lum > Sr. Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
