First Impressions – AD FS and Windows Server 2012 R2 – Part I

In the next few posts, I wanted to take a look at the changes to be found in Windows Server 2012 R2 with respect to Active Directory Federation Services (AD FS).  At TechEd Europe, I was fortunate enough to chat with some of the folks from the Active Directory team about the new enhancements and to cover them here in a little more detail. As you may have read, there are a significant number of changes in the R2 version and I’ll spread coverage of this over a number of posts.

Part 1

-          Architecture Changes

-          Workplace Join / Bring Your Own Device (BYOD)

o   Windows 8.1

o   iOS Devices

-          Web Application Proxy

-          Extranet soft account lockout policies

-          Lost Device Protection

Part 2

-         UI Changes

-         Access Scenarios

-         Authentication changes

o  Multi-Factor Authentication

o   Context-based Authentication

o   Claims/Non-claims aware applications

o   Policy-based Evaluation

Part 3

-          OATH2 support

-          Work Folders

-          Better event handling / reporting

-          Server Core

-          Other stuff undiscovered J

Architecture Changes

The use of IIS with AD FS in Windows Server 2012 R2 has been eschewed in favour of a move to kernel-mode (HTTP.SYS). The motive, highlighted in discussions at TechEd, is to improve performance, provide greater sign-in customization options and to assuage concerns for co-locating AD FS and AD DS on the same server (IIS on domain controllers has been a long-standing security no-no).  As the use of federation services goes more mainstream in everyday use with Windows 8.1, this shift is understandable and an important design consideration.  With the new kernel-mode approach, support for running under server core also appears as an option in the new release.

image

From a basic architecture standpoint and overview, the AD FS proxy has been supplanted by a role known as the Web Application Proxy, servicing connections for external clients. The user interface (UI) through the migration to kernel mode is also significantly changed. Authentication undergoes a radical overhaul with a Multi-Factor Authentication (MFA) Adapter available for plugging into Windows Azure Active Authentication and third-party MFA providers. This is also seen in more nuanced behaviour with respect to authentication within the product, reflected in greater flexibility in access control decisions.

With AD FS now built directly built on top of HTTP.SYS, a lot of changes  are abstracted from the user through the new MMC UI and also PowerShell. Nonetheless, it’s worthwhile familiarizing ourselves with kernel mode elements, as they serve a useful role in basic service troubleshooting/configuration . The NETSH HTTP command can be used to query and configure http.sys.

The netsh http show urlacl command can be used to list URL reservations that AD FS makes within http.sys.  Here we can see the /adfs/ path reserved for use.

 

    Reserved URL            : https://+:443/adfs/

        User: NT SERVICEadfssrv

            Listen: Yes

            Delegate: Yes

            SDDL: D:(A;;GA;;;S-1-5-80-2965554544299-213434830-363436364-117610243-975697593) 

 

And there’s this new guy, the Device Enrolment server, whose role becomes more apparent should we wish to make use of new Windows 8.1/iOS client (mobile) integration features.

    Reserved URL            : https://+:443/EnrollmentServer/

        User: NT SERVICEdrs

            Listen: Yes

            Delegate: Yes

            SDDL: D:(A;;GA;;;S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016)

 

SSL bindings can be reviewed using the netsh http show sslcert command. The AD FS server in this demo setup I’ve created is sts.adfs2.net.

PS C:Windowssystem32> netsh http show sslcert

 

SSL Certificate bindings:

————————-

 

    Hostname:port                : sts.adfs2.net:443

    Certificate Hash             : 1f54c1c62b057dscffgb1aec2b2cbd0876e5c559

    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}

    Certificate Store Name       : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check                  : Enabled

    Revocation Freshness Time    : 0

    URL Retrieval Timeout        : 0

    Ctl Identifier               : (null)

    Ctl Store Name               : AdfsTrustedDevices

    DS Mapper Usage              : Disabled

    Negotiate Client Certificate : Disabled

 

    Hostname:port                : localhost:443

    Certificate Hash             : 1f52c0d62b0570c6a26c7fec2b2cbd0876e5bc59

    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}

    Certificate Store Name       : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check                  : Enabled

    Revocation Freshness Time    : 0

    URL Retrieval Timeout        : 0

    Ctl Identifier               : (null)

    Ctl Store Name               : AdfsTrustedDevices

    DS Mapper Usage              : Disabled

    Negotiate Client Certificate : Disabled

 

    Hostname:port                : sts.adfs2.net:49443

    Certificate Hash             : 2f5c41c62b0570c6a26c7fec21d2d0876e5c559

    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}

    Certificate Store Name       : MY

    Verify Client Certificate Revocation : Enabled

    Verify Revocation Using Cached Client Certificate Only : Disabled

    Usage Check                  : Enabled

    Revocation Freshness Time    : 0

    URL Retrieval Timeout        : 0

    Ctl Identifier               : (null)

    Ctl Store Name               : (null)

    DS Mapper Usage              : Disabled

    Negotiate Client Certificate : Enabled

 

Location-wise, the AD FS application files themselves are no longer held under C:Program FilesActive Directory or C:Program Files (x86). Instead, they’ve moved to C:WindowsADFS. For clarity, this was actually a change instigated first in Windows Server 2012 with the Active Directory Federation Services (AD FS) 2.1 role.  In this folder is the Microsoft.IdentityServer.Servicehost.exe.config file, where, as admins, we’ll be spending more time in the future in order to activate debug functions. From this file all trace options for various services and endpoints can be enabled. In the same folder is a configuration file for the new Device Registration service (DRS), responsible for activation and enrolment of controlled devices and represented by a new (Win8/IOS *) schema class in Active Directory Domain Services (AD DS). The file in question is called   Microsoft.DeviceRegistration.ServiceHost.exe.config. 

Support for the new Device class requires a schema change to Active Directory. For those upgrading an existing Windows setup, the appropriate files can be found on the R2 installation CD under D:SupportADPrep.  From what I’ve seen/tested thus far, to support the new release, you’ll need at least one Windows Server 2012 domain controller, preferably two in any serious deployment scenario. This requirement stems from the use of Group Managed Service Accounts (GMSA) that are generated and maintained by the Key Distribution Service (KDS) on 2012 domain controllers. The new version of AD FS makes use of these GMSA accounts, defined during AD FS installation, that are then shared amongst connecting AD FS hosts. I suggest reading the following backgrounder and bear in mind that the AD FS Windows Server 2012 preview  labs incorporate a workaround for testing purposes, in activating the root key, that is not recommended for production environments.

Update 29/10 –  SamD from the AD product team added that “gMSA is not required to be the service account that ADFS runs on. It is an additional optimization that is available to customers if they have Win2012 domain controllers available.” The traditional service account option is available during installation.

Moving on, let’s take a look at the “broader” access audience that the new version emphasises. This can be immediately seen by viewing the claims descriptions list surfaced on a new AD FS installation.

clip_image002

There are around 40 new claims descriptions available in the AD FS Windows Server 2012 R2 release. As we’ll see, use of these new claims types allow us to make more refined assessments concerning  access to web applications and resources.

Workplace Join / Bring Your Own Device (BYOD)

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision. Workplace Join allows hitherto unmanaged/untrusted operating systems such as Windows RT/Windows 8 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory. Devices will register with Active Directory through a Device Registration Service (DRS) and subsequently use an X509 certificate bound to the user context(s) on that machine for device authentication. In a default configuration, users will login via AD FS to initiate the join process using their AD credentials.  To further secure this process, additional factors can be also used with Windows Azure Active Authentication (PhoneFactor) or a third-party authentication provider exposed through the new AD FS MFA SDK.

Devices that are workplace-joined emit additional claims during the logon process. These include:

clip_image004

Certificate support in claims handling has also been enhanced.

clip_image006

Windows 8.1

In order to provide a comparison between old and new with Workplace Join, I began by looking at what claims (and any new ones) are processed from a vanilla Windows 8.1 Pro domain-joined machine, using a simple WS-Federation relying party to validate claims emitted the client and AD FS components.

Firstly via the internal network and the AD FS farm using Internet Explorer. Here the browser uses Integration Windows Authentication/Negotiate and the user silently accesses to the WIF relying party via Kerberos. The usual configuration caveats apply here: the URL of the AD FS and RP instance are in the Local Intranet Zone of IE.

image

To demonstrate a new change, I installed Mozilla Firefox and repeated the logon process. Instead of the Integrated Windows Authentication (IWA)/Negotiate process, the user is presented with a forms sign-in page. This represents a departure from the user experience and behaviour in AD FS 2.0. With the latter,  authentication would be downgraded to NTLM,  because IWA was assumed in the farm configuration and the browser needed to be configured to explicitly support Kerberos for seamless login. Where the latter action was not performed,  the user would receive an NTLM challenge/response prompt, often causing confusion. With the new release, support for IWA is now governed through setting registering User Agent types within AD FS that are capable of supporting Negotiate. Out of the box, this is constrained to IE, meaning any other browser will revert to using forms logon when accessing resources from an internally connected client . Here we see the claims output from a Firefox login:

image

In internal login scenarios (IE/Firefox), we see new claims types emitted concerning location (whether the login request is sourced within the Corporate Network), an Application Identifier (corresponding to the Relying Party Identifier), the Client source IP (or translated) address, an Authentication Method Reference and a Client Request ID.

Then, via an external network through the new Web Application Proxy:

image

In addition to those claims types mentioned earlier is a new claims type for the client forwarded IP (x-ms-forwarded-client-ip) processed at the Web Application Proxy. The insidecorporatenetwork value  is now set to false, as we’re on an outside network.

You may have observed at this point that there are no Device claims. This makes sense if we consider that their use is limited to client types that declare them, i.e. only workplace-joined clients currently make use of the Device class.  

Onto the workplace join process itself. To get your test lab up and running, I recommend reading this TechNet article.

If you follow the lab guide carefully, and, in particular, with emphasis on getting the dependent infrastructure working correctly, then with a little patience and time, you’ll be up and running. I tried this with the basic contoso.com lab setup (a good starting point) and then expanded this in new setup using my own test domain. There are a few gotchas worth pointing out, hoping that you’ll avoid my growing pains …

1.      Don’t use Cryptography Next Generation (CNG) algorithms when configuring your AD Certificate Services. They won’t work.

2.      For simplicity in your CA configuration, I’d opt for use of HTTP Distribution endpoints, particularly if you intend to test “outside” configurations using the Web Application Proxy. Ensure the Certificate Revocation List (CRL) on the Certificate Distribution Point (CDP) and your Authority Information Awareness (AIA) URLs are setup correctly and reachable from the Win 8.1 client. If you’re using Delta CRLs and IIS as the web server for your CDP, don’t forget to allow Double Escaping on IIS in the Request Filtering section.

3.      Ensure the Enterprise CA is trusted by the client and the certificate is installed in the Trusted Root Authorities section of the client. Importing the cert via the AIA endpoint is a good way of testing its availability and installing the certificate. Again, the certificate distribution point (CDP) URLs should be visible to the client.

4.      Issue the AD FS certificate, complete with SAN for the Device Registration Service (DRS), before you begin your AD FS setup. The common name (CN) on the certificate should be the AD FS URL and two Subject Alternate Names (SAN) entries should contain the AD FS URL and one for the Device Registration Service (DRS) provided. For example, I’ve used an example using the MMC snap-in Certificate Request wizard, based on a copy of the default Web Server template for a common name of sts.mydomain.com for the FQDN URL of the AD FS service and also as the first Subject Alternate Name (SAN) entry. A second SAN entry is used for the DRS endpoint, enterpriseregistration.mydomain.com.

 

clip_image010         

5.      As posted on the Technet forums (in the current R2 preview), both the AD FS server and the Windows 8.1 client need to be configured with time-zone of UTC 0:00 or less. My setup is using Pacific Time (UTC -8:00). Don’t ask me, I just blog here J

6.      Don’t forget to enable Device Authentication in Global Primary Authentication settings within the UI or via PowerShell.

7.      Use the Event Log Microsoft|Workplace Join to troubleshoot!! Here’s a collage of  first-hand events to illustrate it’s effectiveness in troubleshooting:

 

clip_image011

URL (enterpriseregistration.xxxx.yyyy) cannot be resolved or reached.

 

clip_image013

Can’t reach the CRL CDP of the AD CS endpoint.

 

clip_image014

Root Authority is not trusted by the client.

 

clip_image015

This message is stating a number of possible issues (generally bad):

 

o   DRS Configuration and Activation was not completed successfully

o   Issues with the SAN on the SSL certificate

o   AD FS Device Authentication has not been enabled

 

Once you start seeing messages like the following, you’re almost there.

 

clip_image016

 

clip_image017

Nice.

 

8.       Take particular note of any errors reported when trying to activate Device Registration Service; namely anything  along the lines of:

WARNING: UPN values that are not included in the SSL certificate have been found in the enterprise. Users with these UPN suffix values will not be able to register their devices. To enable users with the corresponding UPN suffix to register their devices, provide a new SSL certificate containing the values listed below in the subject or subject alternative name.

enterpriseregistration.upn1.contoso.com
enterpriseregistration.upn2.contoso.com

In the case of (8), I’d made the mistake of not registering the appropriate certificates with Subject Alternate Names (SAN) that included the DeviceRegistration CNAME record. Simply re-issuing the AD FS service certificate afterward, setting Manage Private Keys etc. and re-activating DRS in PowerShell was not sufficient to get the configuration working.

The Workplace Join function can be accessed by first accessing the Change PC Settings option on the Windows 8 UI

clip_image019

In PC Settings, choose the Network option

Then select Network followed by the Workplace option:

clip_image021

If your configuration is working, certificates are trusted, appropriate AD FS and PKI endpoints are reachable, stars are in alignment (just joking), then clicking on the Join button leads to AD FS responding with a challenge:

clip_image023

Enter the Active Directory credentials for the user. In this example I’m using, the device is joining a test domain called adfs2.net. Note the AD FS URL (connecting to my R2 instance sts.adfs2.net) at the top of the page. For the auto-discovery of the AD FS Device Registration Endpoints (DRS) a CNAME (Alias) record in DNS needed to be created for the service called enterpriseregistration.adfs2.net. This record points to the host (A) record of the AD FS federation service internally. This allows the discovery process to find the DRS endpoint and in an external setting this would point to the Web Application Proxy,  your own Reverse Proxy or other suitable edge device.

The relying party (RP) for the Device Registration Service is created during the DRS activation process, so there’s nothing additional required on this side.

clip_image024

Connecting Windows 8.1 clients will use the auto-discover function by matching the domain suffix of the user account provided during the join process against the enterprise registration CNAME record for that domain. The join process then attempts a call to the enrollment server web service. Using the adfs2.net domain as an example, the following endpoint is queried:

https://enterpriseregistration.adfs2.net/EnrollmentServer/contract?api-version=1.0

If the service can be reached successfully, the join process is initiated.

clip_image028

The process is now completed and the “join” associated with the Windows 8.1 user profile. I used a Microsoft Live ID account and as can be be seen from the above screenshot, a subsequent AD user called demo with a UPN of demo@adfs2.net,in doing so  providing my AD credentials during the Join. Please note that the Active Directory domain I’m using is also called adfs2.net (dc=adfs2,dc=net) for convenience. In a real-world/production scenario, the DNS domain names used for Active Directory and that of the federation service itself may be different.

The user account is then issued with a self-signed  X509 certificate with an Extended Key Usage (EKU) of Client Authentication. Jumping into the Certificates|User snap-in we see a certificate issued under the user context.

clip_image029

Back to the WIF 3.5 relying party (RP), logging on to the RP from the outside we get redirected to AD FS for logon. Upon successful logon, the following claims are shown.

image

With the Win 8.1 device now connected to the AD domain via a Workplace Join, we see additional claims consummated.

·         IsRegisteredUser

·         OS Version

·         OS Type

·         Identifier (Subject name of the cert)

·         Display Name (corresponding to the Device Name)

·         Registration ID (corresponding to an OU served up in the certificate)

The device itself is registered within Active Directory at the following location: CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.

Here’s an example with a SAML 2.0 Service Provider (SimpleSAMLphp), with a Workplace Joined Windows 8.1 client connecting to it.

Inside the corporate network, we see the following:

clip_image033

As tempting it is to delve further into authentication, I’ll refrain from doing so and leave this to a follow-up post. My apologies, otherwise this post will reach biblical proportions in length and we’ll be shaking hands with Santa Claus before we know it.

iOS devices

From testing, the auto-discover function using the enterpriseregistration CNAME record in DNS, described in the previous section, is limited to the workplace join process for Windows 8.1. iOS clients must directly connect to AD FS to initiate the join process. The endpoint settings on the DRS Relying Party refer to a URL of:

https://sts.adfs2.net/Enrollment Server/otaprofile/

This is the DRS Over-the-Air endpoint for non-Windows devices (currently iOS only).

I used an iPad 3 running iOS 6.1.3 for this exercise. If you plan on using self-signed certificates for this type of testing, you’ll need to use the iPhone Configuration Utility to create a profile which can be then used to install the root certificate from your Certificate Services Issuing CA (and any optional chain).

If you’re testing iOS or Windows 8.1 devices in an external setting, it’s worth mentioning that the Web Application Proxy (WAP), which I’ll cover in a moment, doesn’t provide an HTTP Reverse Proxy function. To ensure that any CRL/AIA distribution points are visible in an “outside” testing context, I elected to install IIS on the WAP, publish the CRL/AIA Certificate Distribution Points (CDP) via a UNC from the CA itself to be made available as an HTTP URL on the Web Application Proxy via IIS, making the distribution points reachable from an external perspective. Clearly, this is not something one would do automatically in a production environment, without a bit of forethought, but it works well in a demo environment. You can probably also do this with a kernel mode only approach, but I didn’t have time to test this (yet).

Once the Apple configuration file (.mobileconfig) file had been deployed onto my iPad (via e-mail), a Profile containing the Root certificate was generated and the certificate installed.

clip_image035

clip_image037

With the root certificate or chain correctly installed, going to the AD FS server URL, we should not receive any SSL errors or warnings in the browser, indicating that the chain and CRL/AIA distribution points are reachable. To test this, you can use the IdP initiated sign-on page in the default setup, e.g. https://YOURFQDN/adfs/ls/idpinitiatedsignon.aspx.  From the iPad, here’s the portrait view of the page.

 clip_image039

Playing around, I turned the iPad on its side and we get an automatically resized window. This is a nice feature in the new UI in AD FS 2012 R2 that supports dynamic adjustment and positioning of elements through CSS, resizing pages accordingly across various devices and user agents (think mobile client).

clip_image041

In order to kick off the Workplace Join, we point Safari to the endpoint DRS mentioned earlier:

https://sts.adfs2.net/Enrollment Server/otaprofile/

This redirects the browser to a sign-in page where we need to logon with the AD account that will be bound to the iOS device for the workplace join.

clip_image043

Logging on with the demo@adfs2.net account I used in the Windows 8.1 example, the Safari page remains open in the background and the foreground switches to the install profile option on the mobile device.

image

The install profile option and Workplace Join install option appears:

clip_image047

Clicking on the More Details option, we can see that the AD FS Token Signing Certificate (public key) and the Device Enrollment Encrypted Profile Service are referenced during the profile installation.

clip_image049

Clicking on Install Profile

clip_image051

Once the profile is installed we see a Certificate issued to the device, issued with a common name of MS-Organization-Access, as per the Windows 8.1 join process.

clip_image053

Returning to the profile screen we see the completed Workplace Join profile

 clip_image055

NB: The Demo Auth360 profile is the imported .mobileconfig containing the root certificate from earlier.

Web Application Proxy

Sitting in front of the AD FS farm is a new optional role, similar to the AD FS Proxy in AD FS 2.0, called the Web Application Proxy. This is a completely redesigned component, built to cater for federation services scenarios as well additional access scenarios beyond those seen in AD FS 2.0. 

As with DirectAccess in Windows Server 2012, more roles are being moving into the mainstream product and the Web Application Proxy is a module in the Remote Access role within Windows Server 2012 R2.

clip_image056

Configuration of the proxy itself also moves to the Remote Access Management snap-in.

clip_image057

A configuration wizard is provided to connect the proxy to the back-end AD FS farm and a service account is required to register with the AD FS server(s) during installation. This service needs to be a member of the local administrators group on the AD FS farm.

Once connected to AD FS, a number of simple options are available for configuration.

clip_image059 

The UI is at this stage is admittedly basic, but as with DirectAccess in 2012, there’s a greater emphasis on using wizards to get the job done and whatever can be done in the UI can be done (and more) via PowerShell; a PS configuration script is provided as a summary at the end of each publishing wizard rule to demonstrate this point.

As with TMG/UG we can publish/proxy a particular URL or URIs/paths of that URL expressed as separate publishing rules on the proxy , e.g.

www.mydomain.com/ (as one allow all rule) versus

www.mydomain.com/app1/ as Rule#1

www.mydomain.com/app2/ as Rule#2

www.mydomain.com/app3/ as Rule#3

An interesting under-the-covers capability is support for Server Name Indication (SNI).  SNI, initially provided in Windows Server 2012, allows for multiple certificates to be bound to a single IP listener. Prior to IIS 8.0/SNI, sharing IP addresses amongst multiple websites was limited to the network endpoint and their IP:Port binding. SNI is a TLS extension that provides the hostname of the server the client is connecting to during handshaking. This allows much greater flexibility when configuring the proxy. With the move to kernel-mode, all the hard lifting is done through the UI or via PowerShell. familiarity with NETSH HTTP will also assist in any troubleshooting or ad-hoc configuration. The majority of browsers support SNI, although Windows XP in any configuration using Internet Explorer does not.

The current preview of the proxy in the R2 release provides for connections as:

1.       A reverse web proxy, connecting to back-end servers via HTTPS;

2.       A pre-authentication web proxy, connecting to AD FS via HTTPS to validate credentials

a.       For claims aware web applications

b.      For non-claims aware web applications using Kerberos

When we publish a new AD FS compatible application (pre-authentication), the proxy pulls the RP list/ configuration from the AD FS farm. Polling is done (looking at the event logs) every minute.

Using a Windows Identity Foundation (WIF) test relying party application from another test domain (psid.local),  here’s an example of a publishing rule:

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://rp.psid.local/app9/’ -ExternalCertificateThumbprint ’91D8014979B9CDEF9C907171F7CE9AF398E66DC6′ -ExternalUrl ‘https://rp.psid.local/app9/’ -Name ‘WIF Test Application’ -ExternalPreAuthentication ADFS -ADFSRelyingPartyName ‘WIF 3.5 Application’

This is a pre-authentication rule, meaning that AD FS process the login request, UI surfaced and  validates access and authentication credentials through the proxy via a back-channel connection before access to the relying party is processed.

To complete this round of testing, I wanted to validate Workplace Join from an “outside” network via the proxy. DRS endpoints are automatically published, meaning no specific additional publishing rules needed to be created.

On the Windows 8.1 client, I removed the client from the Join agreement created earlier in order to re-attempt the join via the proxy from the external network. When we attempt a join again from the “outside” via the Web Application Proxy, clicking on Join generates the following page.

clip_image065

The user ID is automatically populated in the form, carried over from the Join request.

Testing from the “outside” now, when we access our WIF application RP from our Workplace Joined client (via the Web Application Proxy), we’re served up with a sign-in form.

clip_image067

That’s expected as we’re now an Extranet client (using MS terminology). This is confirmed by looking at the base AD FS configuration and the primary authentication provider serving up forms login for external clients.

clip_image068

“Extranet” users are automatically assigned to the forms authentication sign-in process, whereas Intranet users are assigned Windows Authentication, browser considerations notwithstanding. For those familiar with fiddling with Local Authentication Types in web.config on the AD FS proxy/farm in AD FS 2.0, making this available through the UI and Powershell is a boon J

Going back to our relying party application, we can see in the produced claims that the client connection is not through the corporate network and is via Web Application Proxy using the following claims:  

http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork

http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser

clip_image070

The client is outside the corporate network and the user is now registered. As a simple test, if we only want to allow Registered Users access to our RP claims web application, we could do this through an Authorization Rule that states that only Registered Users are permitted access:

c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value =~ "^(?i)true$"] => issue(Type = “http://schemas.microsoft.com/authorization/claims/permit&#8221;, Value = “PermitUsersWithClaim”);

Logging on with a non-workplace joined client from outside the corporate network, we are denied access.

 

clip_image072

Error pages are customizable and that’s something we’ll cover in Part 3.

As I touched on earlier, we can use SSL bridging scenarios incorporating wildcard certificates on the front-end (proxy) and named certificates (on the back-end) in publishing scenarios. The pre-authentication parts allows integration with claims and non-claims aware (Kerberos) applications. Applications such as Exchange, which are not claims-aware or non-SAML kerberos claims SharePoint web applications can be configured via the Web Application Proxy. From testing rich client applications such as ActiveSync and Outlook, which use Basic/NTLM application, these are not currently supported on the Web Application Proxy either in a pre-authentication or pass-through capacity. The proxy defaults to SNI and this is not supported by some mail clients.  We’ll cover this and other authentication scenarios in Part 2.

Just to wrap up, here are some observations from testing:

-        The proxy can translate host names in URLs but not path names. Make sure that the published path matches that of the application;

-         There’s no Edit function in the UI once you’ve created a publishing rule;

-         The Web Application Proxy is currently HTTPS only, so no HTTP publishing. Hopefully this will be corrected in the near future as scenarios such as CRL/CDP publishing, which use HTTP are not supported in Reverse Proxy scenarios today. Meanwhile, HTTPS-HTTP bridging, sometimes used in Kerberos Constrained Delegation (KCD) scenarios with TMG/UAG are also not possible as AD FS is HTTPS only.

Extranet Soft Account Lockout

Extranet soft account lockout imposes an option to temporarily lockout “extranet-connected” accounts, via the Web Application Proxy, by not incrementing the AD BadPassword count on the PDC Emulator in AD once the soft lockout threshold is set in AD FS.  If the latter is reached, further logon requests are not passed to AD so that AD Password Policy “hard” lockout measures are not immediately triggered.  As the name suggests, this is a soft lockout option that is governed by use of an observation/sliding window that determines how often in a given period a user may attempt to logon via the proxy before the soft count is reached. The goal here is to frustrate password guessing attempts via brute force/DoS from the outside by nefarious users.

Update 29/10 –  SamD from the AD product team mentioned that the extranet lockout feature was also done with the view that customers with ADDS account lockout policies can prevent DOS attacks on specific user accounts by setting a threshold lower for the ADFS extranet lockout policy. This way the user still has internal access because ADDS has not locked out the user.

Soft Account Lockout can be invoked through the use of PowerShell.

$observationwindow = New-Timespan -Minutes 1

Set-ADFSProperties –ExtranetLockoutThreshold 3 -EnableExtranetLockout $true -ExtranetObservationWindow $observationwindow

Once set, we can see via Get-ADFSProperties, the changes applied:

ExtranetLockoutThreshold              : 3

ExtranetLockoutEnabled                : True

ExtranetObservationWindow             : 00:02:00

 

Here we’ve set the lockout threshold to three attempts with an observation window of two minutes.

From a testing standpoint, In the demo AD Domain setup, “hard” account lockout is not set via GPO.

clip_image074

Attempting to login at the RP WIF test application, we’re redirected to  AD FS for logon. I enter an incorrect password.

clip_image076

The PDC Emulator FSMO role in AD, which monitors the bad password count (badPwdCount) increments by 1, likewise on the second and third bad password attempts.

I entered a bad password five times in successive attempts. Continued attempts to logon with a bad password, once the observation window kicks in fails to increment the count beyond three for the windowed period of  two minutes. Once the window has elapsed, the bad password account is again incremented.

clip_image077

One of the nicer aspects of this setting is that it applies to all endpoints, be they passive or active in nature. This is particularly relevant as it also applies to web services (WS-Trust) endpoints for rich clients, e.g. Office 365.

Lost Device Protection

As covered earlier, devices registered via Workplace Join are registered within Active Directory in the container CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com. Lost devices can be denied access by disabling or deleting the appropriate object within AD (I moved the device objects to another OU to test this). Access through AD FS is immediately revoked for the workplace joined client.

From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this and I would imagine some changes by GA or some scripts made available to manage this process.

Summary

A very long post comes to an end.  Next up, we’ll look at UI changes and authentication/access in greater detail and there’s LOTS to cover. As ever, please feel free to comment, contribute, correct and I’ll get back to you!

Comments

  1. Nice post.. really like the details you are giving folks

  2. Hi Mylo,

    Our requirement is the password of domain users on ActiveSync using iPhone and other devices should be automatically synced when their domain password is changed on their laptops/desktops. As of now, this is a manual process and generates account lockout calls. I’m aware that our lockout threshold is low, but this was set to comply with PCI requirements.

    Is this requirement possible to achieve with the above new MFA feature in WS2012 R2?

    Thank you and appreciate your response!

    • Hi Ismail,

      That’s a great question. This is not something that MFA solves right now but there are some alternatives. I’ll pop you a mail with details.

      Regards,
      Mylo

  3. Great post. Do you have any details on how the enterpriseregistration auto-discovery piece works when the internal UPN doesn’t match the external DNS domain space used by a company? e.g. if a user’s UPN is user@internal.net but their public DNS space is company.com (and email would be name@company.com) then how does autodiscovery work? thanks

    • Hi Mike,
      So sorry I didn’t get back to you on this one. Completely missed it! The enterpriseregistration auto-discovery needs to be Internet routable (i.e exist as an external DNS domain name) and needs to match he UPN suffix of the user. What I was alluding to in the article, poorly perhaps ;-), was that the actual AD forest name itself doesn’t have to be routable, just the UPN of the domain and the user suffix. Multiple UPN suffixes have been possible since AD FS 2.0 RU1 for Office 365 support, but I haven’t had a chance to test how this works for other RP applications.

  4. shalendra says:

    How to enable auditing in Workplace join, Suppose a system get connect to workplace join & system admin wants to audit it??
    What configuration are required?
    Does workplace join write event IDs??
    Please help me out on this??

    • Try looking in the Event Log under:

      Applications and Service Logs | Microsoft | Windows | Workplace Join

      Authentication activities are written to the AD FS event log..

  5. What are the event IDs workplace join generate? Does it generate, What BYOD device has accessed, How much data downloaded & uploaded?? Can we monitor it???

  6. Samuel Devasahayam (MSFT) says:

    Really nice article with a lot of good details!

    Some comments from the article:
    1. Do note that gMSA is not required to be the service account that ADFS runs on. It is an additional optimization that is available to customers if they have Win2012 domain controllers available.
    2. Also do note that the extranet lockout feature was also done with the view that customers with ADDS account lockout policies can prevent DOS attacks on specific user accounts by setting a threshold lower for the ADFS extranet lockout policy. This way the user still has internal access because ADDS has not locked out the user.

    Thanks
    /Sam

    • Hi Sam,

      Thanks very much! Kind words indeed coming from someone who played a big role in the making of this new release. I’ll update the article with your comments.

      Regards,
      Mylo

  7. Leonard Volling says:

    Mylo, great post, just finding your site. I’m not sure how well this fits here… but do you happen to have any comments on how Azure MFA can be used in a DirectAccess deployment?

    • Hi Leonard,
      Thanks! I’ve not had the chance to test DA integration with the Azure MFA product, but assuming you have the on-premise server, you might be able to integrate it via RADIUS/NAP for the user tunnel (for OTP). Alternatively, PointSharp through their MFA solution also have a credential provider (for) DirectAccess for OTP scenarios.

      Regards,
      Mylo

  8. Hi,
    I’m trying to get a understanding on what type of certificate I can use on my WAP and ADFS if I want to support for example Workplace join (but also Intune, Workfolders). In my demo envirment I have different DNS name on the inside then in the outside so I have tested with an internal PKI like below: and this works but now i want to switch to a public certificate so I don’t have to install root certiticates manualy etc.
    Subject Name (CN): adfs.XX.com
    Subject Alternative Name (DNS): adfs01.XX.local
    Subject Alternative Name (DNS): adfs.XX.com
    Subject Alternative Name (DNS): enterpriseregistration.XX.local
    Subject Alternative Name (DNS): enterpriseregistration.XX.com

    My quesation to you is – DO you have any information if I can use “Wildcard” certificate or should I use a standard SSL

    Thanks

    Björn

  9. An extraordinarily detailed, hands-on post on setting up #ADFS and Workplace Join in WS2012R2. http://t.co/TykMX57gGm #whoisMylo— Sean Deuby (@shorinsean) November 12, 2013

  10. James Frost says:

    Great post!
    Couple of newbie questions. I’m assuming the Extranet Soft Account Lockout feature is only available to those applications that are claims aware and are using ADFS? If was publishing Exchange resources with Kerberos pre-auth, or Lync with no pre-auth – would I be able to leverage that feature?
    Likewise, in what scenarios could I use the MFA to provide additional authorization checks before providing access….only with a claims aware app? Could I for example do a workplace join of an iPad and then subject connectivity to SharePoint 2013 to an MFA check that validated the identity of the device before providing access?
    Thx James

    • Hi James,
      Thanks and great questions. I’ve not tested the Extranet Soft Account Lockout yet with a non-claims aware web app, but will do. I believe soft lockout would apply to all applications being authenticated through AD FS including KCD applications, with KCD not being initiated to the application by the WAP until the user has successfully logged on. In other words, soft account lockout would apply. Reverse Proxy apps, of course, would not fall under that protection unless they were federated apps being protected by ADFS and the WAP.

      I’m covering MFA in Part 2, which I’m putting the finishing touches to. Hopefully, this will answer your questions.

      Cheers,
      Mylo

  11. Hy Mylo, Thanks for sharing this detailed information! When will you post the other parts (Part 2 and Part 3)? Thx!

  12. Maarten Keuzenkamp says:

    Great article.
    Seems that the authorization rule got mangled. Should be

    c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value =~ "^(?i)true$"]
    => issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “PermitUsersWithClaim”);

  13. Mylo,

    Thanks for the great article, was searching for such an article that clarifies on additional authentication from a long time.

    Request you to clarify further:

    a) If cert based auth is enabled as 2FA, than external users will be asked for credentails only by FBA and cert based auth will authenticate using the cert mapped to user AD profile. I guess no PIN or additional information user need to provide?

    b) In my environment, we have Domain & Forest function level as win 2003. DC are running on Win 2008 r2,
    do I need to upgrade the domain & forest function level to 2008 or 2012?

    c) Workspace feature works only for Win 8.1 & iOS. Do you have any further if it is going to support Android & Win 7 devices?

    d) Device Regisration Service (DRS) in Windows server 2012 r2, to my understanding demands for Schema to be updated to Windows 2012.
    Therefore will my domain & forest function level needs to be changed?
    Also can adding an additional DC with Win2012 will work or do I need to upgrade all my DC to Win 2012 from Win 2008?

    Kindly respond.

    JSK

    Reply

    • Hi JSK,

      Thanks for the nice comments. To answer your questions

      (a) A quick answer.. yes :-) I’ll be posting something in the coming days concerning cert-based auth as an MFA approach.
      (b) Windows 2003 domain functional level will suffice
      (c) Windows 7 (domain-joined) devices are now supported for workplace join. No news on Android devices.
      (d) To support the new “device” class utilized by DRS you’ll need to upgrade your schema to Windows 2012 R2 levels. Your domain/forest functional levels are not affected. If you wish to support Managed Service Accounts then you’ll need Windows 2012 domain controllers

      • Mylo,

        Thank you for the quick response and sorry for the delay from my side to respond.

        With respect to Point

        b: Technet Article suggest to upgrade the domain functional level:

        “Functional-level requirements

        Most AD FS features do not require AD DS functional-level modifications to operate successfully. However, Windows Server 2008 domain functional level or higher is required for client certificate authentication to operate successfully if the certificate is explicitly mapped to a user’s account in AD DS.”
        Ref Article: http://technet.microsoft.com/en-us/library/ff678034.aspx

        Also another forum suggest to upgrade the function level: http://community.office365.com/en-us/f/613/t/235755.aspx

        d: cant find much info on DRS, if you share more insight with respect to the limitation on the device it will support and can you elaborate “If you wish to support Managed Service Accounts then you’ll need Windows 2012 domain controllers” are you referring to GSMA?

      • Hi JSK,
        Thanks for that.. I’ll change the article regards the Domain functional level requirements for client cert auth.. I didn’t test at 2003 functional level so sorry for that mistake on my part.
        Regards your (d) question, yes I was referring to GSMA.

  14. Hi Mylo,
    Let me tell you , this is the best blog i can find to understand new features in ADFS 3.0.
    As you have such deep understanding of ADFS 3.0, can you please help me by answering few questions on it-
    1. Is it possible in ADFS 3.0 to customise and create different ADFS login pages for different relying parties(different websites) attached to same ADFS 3.0
    2. Can we pass on website language explicitily which can be captured by ADFS 3.0 to serve the login page in that specific language.

    Thank in advance
    TicArch

    • Hi TicArch,

      Wow.. thanks for the kind comments. On your questions:
      1. I was fortunate enough to get to exchange mails with the Program Manager for ADFS on this very topic. The answer I got was No, not in the current release, but is technically possible if you’re willing to modify JavaScript to support this in the ADFS content.. I’ll ping a mail to the person concerned and see if they have an update.
      2. If the localization isn’t specified then it will revert to the default locale if memory serves me right. If I understand you right, you mean to overwrite the browser localization settings, hence the explicit comment?

      Regards,
      Mylo

  15. Hello Mylo,

    We have to integrate ADFS 3.0 with SAML 2.0 (service now)? will there be any compatibility issues that we might face?

    If so, what are the extra settings we need to do on ADFS 3.0 side to make this integration work?

    • Hi Kunika,

      I’ve not actually used ServiceNow but it seems to be fairly well supported re: AD FS on their forums. I don’t imagine there’s much difference between integrating it with the latest release than with AD FS 2.0.. the same limitations/constraints apply.. I recall from reading stuff in the past that Single Logout doesn’t work as expected and you have to call wasignout (WS-Fed) endpoint to do a sign out of the application.. but this as with other SAML 2.0 SPs, won’t actually sign you out of the application as the SSO cookie persists… don’t know if that has changed and they now support signing of logout requests on the SAML SP side…

      Cheers,
      Mylo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 97 other followers

%d bloggers like this: