SharePoint Designer 2010 Error – “The extended protection settings configured on IIS do not match the settings configured on the transport”

We recently had to troubleshoot an error in SharePoint Designer 2010 where it would not connect to a web site showing the cryptic error message: “The content type of the response is “”. The Status Code is “OK”.

the extended protection settings configured on iis do not match the settings configured on the transport

Having encountered this error once before, I thought it might have something to do with multiple bindings on the IIS site, but after checking with a networking colleague, we realized this was not the case since there was only one binding. The application event logs showed that the specific exception message was “The extended protection settings configured on IIS do not match the settings configured on the transport. See inner exception for details.”

the extended protection settings configured on iis do not match the settings configured on the transport

After scratching our heads for a little, we realized that actually, the devil was in the details – inner details – in our case. Ours were saying: “The ExtendedProtectionPolicy.PolicyEnforcement values do not match.” Well, Extended Protection Policies have to do with authentication, so we checked in IIS the Authenication > Windows Authentication > Advanced Settings and found that Extended Protection was Required and Kernel-mode was on.

the extended protection settings configured on iis do not match the settings configured on the transport

Since our environment used two load-balanced web servers (WFEs), we checked the second server’s authentication settings and sure enough, they did not match. After normalizing the authentication settings on both servers, voilà, SharePoint Designer stopped misbehaving and I was able to go about my SharePoint branding business. And the moral of this particular story is: read the whole error log message, especially the section on inner details!

January 28, 2014