telling fiddler to step out of the way for specific traffic

[robertob]

Using the details found in this post http://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx i'm able to get fiddler capture of wp8 emulator traffic past adfs forms based authentication (fba) interactions but not subsequent redirects involving posting of the issued token to my acs namespace.

 

I can live without capturing traffic involving my corporate adfs farm url and federated acs namespace url but still need fiddler in place to capture all other traffic for debugging purposes and and to enable wp8 emulator use of dev wks etc/hosts dns spoofed addresses that route requests to dev wks iis hosted web services.

 

Is there a way I can configure a blanket rule that tells fiddler to get out of the way for all traffic to/from my corporate adfs farm url and my federated acs namespace url?  

[EricLaw]

To your question: It largely depends on what you mean by "get out of the way." If the goal is to configure Fiddler not to capture traffic to specific hosts, see Tools > Fiddler Options > Connections > Bypass Fiddler for URLs. Enter a pattern like, e.g. https://auth.example.com;*.corpdomain.

 

Alternatively, if the sites in question are HTTPS, you could prevent Fiddler from decrypting traffic to those sites, such that you'd see the CONNECTs in Fiddler, but the traffic would not be decrypted.

 

What's less clear to me is why having Fiddler intercept the traffic in question is problematic.

[robertob]

Thanks for response.  

 

I think what I should be using is the option you propose where fiddler still captures the traffic but doesn't decrypt/reencrypt traffic to/from those destinations.

 

I configured tools | fiddler options | https | skip decryption for the following hosts = "corp.sts.microsoft.com;mydsvcnspc.accesscontrol.windows.net" and that unblocked me vs having to resort to tools | fiddler options | connections | bypass fiddler for urls that start with = "<-loopback>;https://corp.sts.microsoft.com;https://mydsvcnspc.accesscontrol.windows.net" .

 

The connection types where issues seem to exist is with adfs wstrust signins, see this post https://groups.google.com/forum/#!topic/httpfiddler/VRtGQUNgY9A, and acs/adfs federated signins where the adfs signin is handled by what you outlined in this post  http://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx but the redirect from there to acs where adfs issued saml token is used as method of authenticating request.