Windows 10 Passwordless – Azure AD Join, Microsoft Intune and Windows Hello for Business

October 12, 2018Azure AD Join, MFA, Microsoft Intune, Multi-Factor Authentication, Password-less, PKI, Route443, Windows 10, Windows Hello for BusinessAADJ, Azure AD Join, Biometric, Intune, Microsoft Intune, Passwordless, Single Sign-On, SSO, WHFB, Windows 10, Windows Hello for Businessmylo

We’re back and it’s been a W H I L E…. let’s jump right back in with some Single Sign-On (SSO) passwordless fun with Windows 10, Azure AD Join, Microsoft Intune and Windows Hello for Business. This article is also uploaded to the Route443 blog here.

In this post we describe one route to incorporating passwordless technology that leverages customer investment in the Microsoft cloud, specifically Enterprise Mobility + Security. We assume the customer is in possession of a hybrid infrastructure, with on-premise pieces (Active Directory Domain Services, Certificate Services etc.). Most customer configurations we come across are those where a Hybrid Azure AD-join configuration has been opted for, with the on-premise identity being the dominant one.

We’ll use Windows Autopilot to kick start a hypothetical migration from hybrid to cloud-only, in doing so using Microsoft Intune as an alternate for SCCM and on-premise GPO, rolling out Windows Hello for Business as part of the process, together with Wireless 802.1X and AlwaysOn VPN profiles. Finally, a single sign-on (SSO) path back to on-premise resources is a must.

Here we take a Windows 10 version 1803 client and join it to the tenant Azure Active Directory. As way of demonstrating the platform capability, we:

Provision the machine using Windows Autopilot and onboard the user using multi-factor authentication (sans password)
Use Windows Hello for Business for Multi-Factor Authentication (MFA) via biometric gestures and PIN for fallback
Use TPM-backed certificate authentication to provide secure access to the end-user both in deployment and access to:
- VPN using Win10 AlwaysOn VPN
- Secure wireless using 802.1X
Use Credential Guard to isolate and protect secrets (e.g., NTLM hashes / Kerberos ticket-granting tickets)
Leverage Single Sign-On (SSO) access to on-premise resources:
- File servers
- Print servers
- Application servers

Machines are built using Windows Autopilot and joined to the Azure Active Directory (AADJ). Since these are AADJ devices, they will not be part of the on-premise Active Directory. User accounts exist in both the cloud and on-premise AD.

Moving on, let’s peek at the configuration

In this use case, we’re going to deploy a Windows 10 machine using Windows Autopilot. In a conventional Windows deployment, Out of the Box exprience (OoBE) requires the user to identify whether the device is personally or organizationally owned, the selected option then triggering a different set of configuration workflow. For an organizational join, the client needs to have visibility to the Internet to process the registration of the device and the user.

Windows AutoPilot simplifies this decision-making process by directly tying the procured hardware to the organization tenant, importing the hardware ID of the device into the Microsoft Store for Business. The Out of Box Experience (OoBE) lands the user on the tenant branded logon screen.

When prompted for credentials, we enter our tenant details (in this example Route443). In a standard Windows configuration, we’d be required to enter a password after entering the username. Since our goal is passwordless, we look to stronger mechanisms for authentication. During OoBE deployment Windows Hello for Business is not available, so an alternative credential is required. FIDO 2.0 would be ideal but is not yet General Availability (GA) in a Windows 10 release. Vendors such as Yubikey have incorporated FIDO 2.0 into their product range and are ready to support the up-coming release of Windows 10 that includes support for FIDO 2.0.

With Multi-Factor Authentication (MFA) enabled in the tenant and phone sign-in configured for the user, the Microsoft Authenticator app can be used to do passwordless sign-in. Like Windows Hello for Business, it uses key-based authentication for the user credential bound to a device (Biometric or PIN). With phone sign-in enabled for the AAD account, the enrolling user will see a number onscreen.

Within the mobile authenticator app, the user must match the number that appears on-screen with that surfaced via the mobile app.

Note that the App itself can be protected either by Touch ID or PIN. Once successfully authenticated, the machine will continue with configuration. Consistent with the organizational Intune policies in this example, the user will be prompted to register a PIN for Windows Hello for Business. This is also used for fallback in case biometric options (facial recognition/fingerprint) are not available.

Click on PIN requirements to see what your organizational policy has decreed.

Once the PIN is set, the user is able to login with their Hello PIN. Should the device have other Hello capabilities, such as facial recognition or fingerprint reader, then these can also be engaged.

In the above example, the device is configured for facial recognition. Changing biometric settings can also be modified under Windows Settings|Accounts|Sign-In Options.

Devices are enrolled for Intune MDM and Azure AD joined. This can be checked via Windows Settings|Accounts|Access Work or School.

With device configuration profiles defined in Microsoft Intune and assigned to devices, the AADJ client will receive the appropriate configuration.

Specific to this configuration, the following profiles are relevant:

Certificate configuration profiles
- Root CA
- Issuing CA
SCEP profile for Windows Hello
SCEP profile for WLAN/VPN
1X WLAN profile
AlwaysOn VPN profile

Certificate Authority Configuration Profiles

If certificates are pushed out via SCEP, then an Enterprise PKI and NDES server, acting as a Registration Authority, is required, together with an Intune connector installed on the server. As announced at Ignite, Intune will support 3rd party CAs in the near future.

A configuration profile is required for each tier of the PKI. In this example, a two-tier PKI exists, with a profile for each CA pushed to the client.

SCEP profile for Secure Wireless / VPN

A SCEP profile is rolled out with a Client Authentication EKU to satisfy the 802.1X and AlwaysOn certificate requirements. This certificate is then used by these services to authenticate the client to the back-end Network Policy Server (NPS) running behind the respective wireless and VPN services.

SCEP Profile for Windows Hello

While Windows Hello for Business prefers hardware-backed credentials, not all computers are in possession of a Trusted Platform Module (TPM). Intune provides options for falling back to a software-based credential, should the need arise.

In Certificate Trust scenarios using Windows Hello for Business, a SCEP profile is required with a Smart Card EKU. This is to satisfy access conditions for Single Sign-On (SSO) for Windows Hello for Business against the on-premise domain.

Secure Wireless LAN profile

The Secure Wireless LAN profile contains the configuration for the on-premise wireless network, EAP type settings, authentication methods etc. Use of certificates ensures that access to the on-premise wireless is seamless when in-range. For a more immersive experience, machine certificates are preferred for use, subject to their availability in Intune.

AlwaysOn VPN profile

The AlwaysOn VPN profile contains the configuration for the on-premise AlwaysOn VPN server (Microsoft replacement for DirectAccess). The more detailed settings are minted from a EAP.XML file generated on a test machine manually and then imported into the Intune blade in Azure Resource Manager (ARM) console.

Dependent on whether the user is on-site at the business location or working from home, connectivity to the network, either via secure wireless (802.1X) or IPsec VPN (IKEv2) gives access to the corporate resources, courtesy of the provisioned certificates. This is carried out transparently. Since these are user certificates, connectivity is established after interactive logon.

This is down to a limitation in the Microsoft Intune SCEP configuration profile that assumes all assigned certificates are to be user-oriented, rather than machine. Thankfully, based on details from Microsoft at Ignite, an upcoming Microsoft Intune release will provide additional support for machine certificates. Once these are available, we’ll follow up with an additional post.

On-Premise Access and Single Sign-On (SSO)

So how are on-premise Active Directory resources accessed in a native Azure AD Join (AADJ) scenario? It may come as a surprise, but AADJ clients can also communicate with on-premise Active Directory resources. This is down to functionality built into recent versions of the Windows 10 client and Azure AD Connect, providing additional details during AAD Sync that can be subsequently used by the Windows client. It’s worth pointing out that this functionality is not specific Windows Hello for Business, but for AADJ clients as a whole that wish to communicate with on-premise resources.

It is assumed there is line-of-sight to a on-premise domain controller from the Windows 10 client. Line-of-sight can mean on-premise wired, wireless (802.1X) or Always On VPN.. For our passwordless scenario, the authenticated user has the aforementioned “Hello” certificate deployed via SCEP.

If on-premise domain controllers are Windows Server 2016 or above, then the certificate trust model for Windows Hello for Business, described here, can be dropped in favour of the key trust model. This simplifies deployment by not requiring SCEP/NDES for the Smart Card.

Using DSREGCMD from the command-line we can derive some useful information concerning the client.

Hello

This is an Azure AD joined device, with TPM-backed private keys for certificates created during the enrollment being stored in TPM. The user also has been enrolled for Windows Hello for Business (NgcSet: YES).

In this article, we illustrated how it is possible to optimise investment in Microsoft cloud services for deploying workspaces across any network, using modern secure authentication, whilst maintaing the ability to seamlessly access on-premise applications. This managed workspace achieves feature parity comparable to that of a classically deployed workspace. By utilising modern secure authentication, together with Azure AD Domain Join, this provides opportunities for customers to take advantage of other identity-as-a-service pieces already available in the Microsoft cloud.

For more information on these interesting topics, please contact us at Route443.

Using Pinpoint DNS to route AD FS authentication traffic

July 2, 2017AD FS, ADFS, Azure, DNS, IaaSAD FS, ADFS, authentication, DNS, logon, performance, Pinpointmylo

In this post, we’ll look at pinpoint zones in DNS and how they can be used to route AD FS traffic more favorably for authentication.

In larger AD FS setups with thousands of users, enterprises may be using a global farm spanning multiple regions. In the absence of global site load balancing, pinning users to a particular region for authentication is not trivial, and begs the question: How do I respond with different IP addresses from a single hostname?

Let’s look at a hypothetical AD FS scenario using Azure VMs. Our farm is located in Azure region US East and two AD FS farm nodes are configured behind an Azure internal load balanced virtual IP of 172.20.15.5. On the Internet facing side, we have a pair of Web Application Proxies (WAP) connected to an Azure Internet load balancer (these are not germane to this discussion).

An ExpressRoute connects the corporate New York headquarters of the organization to the Azure network in the US, and a similar connection links up Europe via their London office. An (A) record in DNS adfs.mydomain.com points to the IP address of the Azure load balancer.

Users in Europe, however, are reporting that AD FS logon times are poor when connected to the company network. To improve response time and overall performance, an additional farm in the Azure region UK South is deemed necessary.

From an AD FS perspective, the challenge at this point is how to route internal logon traffic to the new farm. Remember that the federation service URL in internal DNS currently points to the US East VIP of the Azure load balancer.

The trick is using a pinpoint DNS zone. We create a primary zone in DNS representing the URL of the federation service. By making it a primary zone we are allowing control over which domain controllers the zone is created on and whether it is replicated (Active Directory Integrated). By localizing it to domain controllers of our choice, say Europe, we can then create an A record in DNS that points to the Europe Azure internal load balancer VIP (172.20.75.5).

Let’s see how that works. On a European domain controller, we create a new primary forward lookup zone (adfs.mydomain.com)

Once that’s done, we create an (A) record in DNS in the adfs.mydomain.com zone. Leave the name blank.

Those clients using this domain controller as their DNS server will now resolve the name to the European load balancer.

On each domain controller where we wish connecting clients to use the European AD FS farm, we repeat this process. Other domain controllers that are using the Active Directory Integrated (ADI) replicated version of this record will continue to resolve to the US East Azure internal load balancer.

Backup and Recovery with the AD FS Rapid Restore Tool

October 2, 2016AD FS 2012 R2, AD FS 2016, Backup, Disaster Recovery, Restore, Web Application Proxy, Windows Server 2012 R2AD FS, AD FS 2016, ADFS, ADFS 2016, ADFS 3.0, ADFS 4.0, Backup, Disaster Recovery, Environment, Migration, Rapid Restore Tool, Restore, Testing, Windows Server 2012 R2, Windows Server 2016mylo

Slipping out of the Microsoft stable recently with little fanfare, the AD FS Rapid Restore Tool. As the name suggests, this is a tool geared at aiding in the recovery of your AD FS configuration / environment, in the event of server failure or disaster. To date, effectively backing key material and/or relying parties has been a proverbial thorn-in-the-side for AD FS administrators, so the release of this utility is very interesting.

Does this tool do the trick? Let’s give it a whirl…

Download the MSI and install the tool. You can get the MSI from here. Supported versions are AD FS 2012 R2 and AD FS 2016. The tool is directly installed on the farm node and the installation process is very straightforward ( a la Next Next Next).

2016-10-01_15-04-32

With the tool installed we can launch a Administrative PowerShell prompt and then import the module.

2016-10-01_21-25-16

Let’s look at some of the command option via Get-Help Backup-ADFS -full

2016-10-01_18-09-49

As can be seen from the graphic above, when we call the Backup-ADFS cmdlet, backup of the AD FS configuration is possible to both the filesystem or to Azure. In these test scenarios, the local file system is used.

A backup folder (e.g. C:\ADFSExport) is created manually as the backup/restore location. The Backup-ADFS cmdlet is then run. Here’s the syntax used for testing.

Backup-ADFS -StorageType “FileSystem” -StoragePath “C:\ADFSExport\” -EncryptionPassword “12345678” -BackupComment “Clean Install of ADFS (FS)” -BackupDKM

2016-10-01_18-07-26

Oops.. a warning. As the Microsoft documentation points out, your AD FS SSL/TLS certificate will only be backed up during the export if the private keys are marked as exportable and the associated Manage Private Keys permission is given to the user running the script. In the above example, my certificate does not fit that criteria. A simple way to check beforehand is to attempt to export the SSL certificate via the Certificate Export Wizard. If “Yes, export the private key” is greyed out, it’s not exportable. Now go find that PFX ……

2016-10-01_18-16-45

Where the script can’t handle the service communication certificate migration, the PFX should be manually imported on the replacement server before the restore script is run.

By the way, the token signing and decryption certificates (incl. private keys) used by AD FS are stored in the AD FS configuration database itself. These certificates are then encrypted using something called the Distributed Key Manager (DKM). A container is created in the local Active Directory of your AD FS during installation of the first AD FS node in the farm. The DKM master key is then stored in this container. The recovery tool provides for backup of the DKM facility and in the export command-line above the “Backup-DKM” is used. I’m no expert on DKM, so if you require a more detailed information, I suggest you go hunting here.

Onto the recovery. Here I wanted to test a number of changes.

Same Server Recovery

For this simple test, we elected to remove the AD FS farm (primary) role in each case and cleaned out the AD FS container in Active Directory (CN=ADFS,CN=Microsoft,CN=Program Data). A fresh installation of AD FS was then made, the tool installed and then the restore operation begun. Any existing configuration database was overwritten.

Restore 1 – Basic

To begin with, in the first restore, we help the tool along a little bit by partially rebuilding the AD FS server. I added the AD FS role manually via Server Manager, specified the federation service name, the SSL certificate to use and the relevant service account. Here the recovery script was as follows:

Restore-ADFS -StorageType “FileSystem” -StoragePath “C:\ADFSExport\” -DecryptionPassword “12345678” -RestoreDKM

Restore worked fine. No errors and the WAP connected back to the “new” farm without issues.

Restore 2 – Complete

This option required providing the command-line with a little more information as the role was not pre-installed. Consequently, those missing elements, pre-loading of SSL/TLS service communications certificate aside, needed specifying.

Restore-ADFS -StorageType “FileSystem” -StoragePath “C:\ADFSExport\” -DecryptionPassword “12345678” -RestoreDKM -ADFSName “adfs.mydomain.com” -DBConnectionString “WID” -GroupServiceAccountIdentifier “MYDOMAIN\gmadfs$”

Again, no issues. Impressive.

That SSL error during the initial export was still bugging me though. Just to make sure that SSL export really was supported, I flipped the Service Communications certificate in AD FS to one with an exportable private key (the replacement certificate was one from a local test CA, complete with Server Authentication EKU). The cert then needed to be assigned to AD FS via PowerShell.

dir cert:\LocalMachine\My
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint
Set-AdfsSslCertificate -Thumbprint thumbprint

After an AD FS restart, with the new certificate in place, I then reran a new export:

As can be seen from the above screenshot, with the exportable cert in place there were no SSL errors this time. Removing AD FS and then rerunning the Restore-ADFS cmdlet an additional time then demonstrated that the SSL certificate was then imported as part of the recovery. Nice.

New Server Recovery

Of course, no test is worth its weight in custard unless we actually go the extra mile and try and break stuff. In the next scenarios, we’ll tweak the configuration a little, moving AD FS to a completely new server and do a database recovery to a new format.

Restore 1 – WID to SQL

As well as introducing a new server, complete with different IP, computer name etc., we will also migrate the recovered solution to a new database form factor, as part of the recovery. Via the script, the original Windows Internal Database (WID)-based AD FS solution will be refactored in SQL Server.

Restore-ADFS -StorageType “FileSystem” -StoragePath “C:\ADFSExport\” -DecryptionPassword “12345678” -RestoreDKM -ADFSName “fed.route443.net” -DBConnectionString “data source=sqlserverFQDN;initial catalog=adfsconfiguration;integrated security=true” -GroupServiceAccountIdentifier “MYDOMAIN\gmadfs”

The change in the script is minimal from previous cases. In order to effect the transition from WID to SQL we simply provide the necessary connection string in the Restore-ADFS cmdlet so that the recovery tool can provision the AD FS configuration and Artifact database on the SQL Server. Running the restore script against Backup ID 8 (in this example).

2016-10-02_7-50-31

The restore is complete without errors. On the SQL Server in Management Studio, the databases are successfully provisioned.

2016-10-02_7-48-33

On our Web Application Proxy (WAP) in a HOSTS file (or DNS – YMMV), we update the reference to the AD FS farm pointing to the new IP address. Excellent! Cue login test page and successful logon.

2016-10-02_8-06-54

Restore 2 – SQL to WID

Believe it or not, the request to move from SQL to Windows Internal Database (WID) does come up from time-to-time on Technet forums, so I thought I’d validate this scenario also. Here we’re moving back our AD FS configuration database(s) running on a SQL workload to WID. We back up our ADFS/SQL server and then copy the C:\ADFSExport folder to the newly minted server. Here the following syntax is then run:

Restore-ADFS -StorageType “FileSystem” -StoragePath “C:\ADFSExport” -DecryptionPassword “12345678” -RestoreDKM -ADFSName “adfs.mydomain.com” -DBConnectionString “WID” -GroupServiceAccountIdentifier “MYDOMAIN\gmadfs$”

2016-10-02_9-37-11

Item 9 is the ADFS/SQL backup which we wish to restore. Again, on the WAP we point away from our old ADFS / SQL pair to our freshly restored ADFS / WID combination and test logon and we’re up and running.

Summary

This is an outstanding tool and one every AD FS administrator should be in possession of. Not to be underestimated, the AD FS Rapid Restore tool not only adds great value to the recovery process, but also provides an excellent means for copying/mirroring your environment AD FS for testing. Moreover, as can be seen from the previous screenshots, it’s also an excellent way of backing up and charting your AD FS configurations vis-a-vis change management.

DirectAccess with PointSharp ID

July 27, 20162FA, DirectAccess, Multi-Factor AuthenticationDirectAccess MFA 2FA PointSharpmylo

Just a quick post to let you know there’s a new article on the Route443 blog, on the subject of using strong authentication with DirectAccess. Here is the link. In addition, there’s a webinar on this subject for anyone interested, hosted by PointSharp. You can subscribe to this event here.

Enjoy!

AD FS – Old Habits (idpinitiatedsignon.aspx)

June 16, 2016AD FS 2.0, AD FS 2016, AD FS 3.0, AD FS R2, AD FS VNext, ADFS, Windows Server 2012 R2, Windows Server 2016AD FS 2.0, AD FS 3.0, AD FS R2, ADFS, SAML 2.0, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016mylo

Usually after building an AD FS/WAP farm I test locally from the Internet and the Intranet using (to-date) a fairly reliable source of verification that the service is up and running. I’m referring to, of course, the IdP sign-in page (../adfs/ls/idpinitiatedsignon.aspx). This offers a simple way of validating login via AD FS.

With Windows Server 2016, this page is no longer surfaced “out-of-the-box”.. if you want to do a SAML 2.0 IdP-initiated sign-on, this functionality will need to be enabled. Otherwise, connecting to the obligatory sign-in page, will produce an error similar to the following:

2016-06-10_18-06-00

Testing from the Web Application Proxy itself directly, pointing to the AD FS farm, we may see an HTTP 503 Service Not Available error.

Via Powershell, it can be switched back on:

set-adfsproperties -EnableIdpInitiatedSignon $True

Now, before we get too hasty, knowing that we can turn it back on versus actually turning it back on are two different things 🙂 If it’s directly required, IdP-driven sign-on is a feature of your federation setup, then you may have no choice. For example, certain SaaS/Cloud applications simply don’t support SP-initiated workflow.

For some organizations I’ve worked for though, this page is seen as insidious because it reveals the relying parties configured on your AD FS farm anonymously.

AD FS 2.0

2016-06-16_18-57-06

AD FS 2012 R2

2016-06-16_18-58-34

Going back to AD FS 2.0, customers are often unwilling to float this data anonymously via the sign-in page and want to hide the RP enabled trusts visible on the page, sometimes re-writing the code behind to do so or even hiding it from the browser via obfuscation.

Whatever your view, it’s off by default in Windows Server 2016. Those of a paranoid bent may now breathe …………. in….. out….in… out…. there you go 🙂

Blogging @ Route443

May 29, 2016AD FS, ADFS, Azure, Azure AD, Identity and Access, Route443, Uncategorized, XenApp, XenDesktopRoute443mylo

While I continue to post identity and access-related material here, a note to let you know that you can also find posts from myself and other colleagues on a blog over at Route443. This is a new organization recently co-founded and setup to aid and assist companies make better use of nascent technologies, such as cloud, for business advantage. You can find more about the company here.

Here’s a quick summary of what’s been posted so far on the blog.

My colleague, Edwin, set the ball rolling back in March with a post about Azure Identity Protection. He followed this up quickly with a nice piece on the Evolution of Access Control. In April, came a post about Azure AD as an Identity Provider from yours truly. Then last week, another colleague (Dennis) pipped everyone to the post by writing an excellent walk-thru of the new SAML Authentication capability found in the next (7.9) release of Citrix XenDesktop and XenApp. A highly recommended read and a world “first”.

In the coming weeks, we’ll be taking Azure AD out for a test drive…

See you there, oh … and here 🙂

Damian / “Mylo”

Back to the Home Realm Discovery in 2012 R2

May 20, 20162FA, AD FS R2, Customization, Home Realm Discovery, MFA, Multi-Factor Authentication, PointSharp, Strong Authentication, Windows Server 2012 R2mylo

Hello all. You may recall from older posts on this blog (2012) that we’ve played around in the past with Home Realm Discovery (HRD) in AD FS.

First with IWA and forms logon here and then a little bit more for good measure. Since then it’s been a little quiet on the HRD fence and not a subject delved into much since. That is, until an issue a colleague and I ran into an issue recently… confronted with the following AD FS R2 access conundrum:

“ How can we route (automatically) external logon requests to a third-party claims provider, continue to route internal logon requests to the native AD claims provider (i.e. maintain transparent SSO), eliminating any Home Realm Discovery (HRD) for our users to have to walk through and select?”

Or… to put it more simply. How can one automatically route external route requests to claims provider A, continue to route internal requests to (AD) claims provider B, whilst altogether avoiding Home Realm Discovery (HRD) for all users?

We’ll discuss the exact use case in a moment. This is a RP-initiated work-flow. No IDP-initiated flow or smart links are allowed.

First, a bit of background. Let’s head back to the first look posts on AD FS 2012 R2 in 2013/2014. In there I wrote:

“In AD FS R2, HRD customization options through PowerShell now allow us to determine how the UI is presented to the end-user during logon, based on:

1. target suffix resolution – providing suffix routing on a per claims provider basis
2. limiting the claims providers visible for the relying party concerned”

With the move to kernel-mode in R2, customization previously possible under IIS in AD FS 2.0 was no longer applicable. To redress this issue and to provide greater flexibility, the above customization options were provided. Suffix routing enables AD FS 2012 R2 to select an appropriate claims provider based on the domain suffix credentials provided by that user. Broadly speaking, this is just how O365/Azure AD works in attempting to discover the Federated home realm v Microsoft realm of the connecting user. Similarly, for on-premise AD FS, suffix routing enables us to refine our logon decision-making based on the home realm of the connecting user. Here’s an example:

Users from the Cranky Nuts organization, connecting via AD FS, use a @crankynuts.nl domain suffix. Accordingly, we need to send authentication requests to the Cranky Nuts Identity Provider.
Users from the Wobbly Wheels organization, connecting via AD FS, use a @wobblywheels.be domain suffix. Accordingly, we need to send authentication requests to the Wobbly Wheels Identity Provider.

In AD FS 2012 R2 we can configure this within Powershell:

Set-AdfsClaimsProviderTrust –TargetName “Cranky Nuts IdP” –OrganizationalAccountSuffix @(“crankynuts.nl”)
Set-AdfsClaimsProviderTrust –TargetName “Wobbly Wheels IdP” –OrganizationalAccountSuffix @(“wobblywheels.be”)

Wonderful! Using this approach can be a little hit and miss though. It’s making certain assumptions about the level at which we’re prepared to divert authentication on, i.e. the domain level. That’s not always the case.

We could, alternatively, opt for the other method: targeting claims provider selection at the Relying Party Trust level. Again, this is useful functionality. Here’s an example.

Set-AdfsRelyingPartyTrust -TargetName “BodgeIT Inventory ” -ClaimsProviderName @(“crankynuts.nl”)

This makes the “BodgeIT Inventory” Relying Party/Web Application, available to users of the Cranky Nuts organization, bypassing the local AD claims provider. Should we need to extend access to additional claims providers, such as our local Active Directory, then we can add that issuer to the mix. The downside of this option, is that we’re forced into making a home-realm discovery selection during logon.

The Suffix and RP-specific claims provider options, therefore, do have some limitations. Indeed, for the scenario that we were faced with, neither option fit. In our situation, two claims providers existed for a single organization, with each CP containing the same set of users. The use case? Two-factor authentication. The upstream claims provider (CP) provides two-factor authentication (2FA) for users connecting from the outside , while the incumbent local AD claims provider covers local Windows logon.

Of course, two claims providers means Home Realm Discovery (HRD) and HRD can be confusing. We can remedy this for internal users, ensuring they don’t get the HRD prompt by defaulting to the use of the local AD claims provider via Powershell:

Set-ADFSProperties –IntranetUseLocalClaimsProvider $True

This doesn’t solve the problem for access from the outside. Moreover, we expressly wish to send all connecting users to our 2FA claims provider, rather than to the in-build AD claims provider…. We could use auxiliary authentication provided by the MFA Adapter in AD FS 2012 R2, thereby eliminating the use of the upstream claims provider. However, that might not be feasible as:

Leading with the AD password as the primary authentication credential may not be allowed.
The vendor has an MFA adapter for AD FS 2012 R2.

Even where the latter is available, the (security) policy prerogative might be that use of 1) is not allowed, thereby overriding (2).

<PLUG>To demonstrate issue, cue favorite authentication platform PointSharp (</PLUG>

PointSharp possess both a Security Token Service (STS) that can stip atop AD FS as a 2FA claims provider role and also have an MFA adapter for AD FS 2012 R2 / 2016. Since use of the MFA adapter has been prohibited by the customer according to the rules above (not wanting to lead with AD password as a primary authentication credential), the STS as a Claims Provider was selected instead.

You’ll recall we turned off HRD for internal users by setting the IntranetUseLocalClaimsProvider setting to TRUE. With the PointSharp STS configured as a claims provider, external users will get continue to get the HRD screen as AD FS cannot determine where the user lives without the appropriate “hint”. In AD FS 2.0 it was possible to workaround this by customizing the AD FS 2.0 proxy configuration, modifying the Page_Init section of the homerealmdiscovery.aspx.cs file. We could then remove Active Directory as a claims provider (0)

PassiveIdentityProvidersDropDownList.Items.RemoveAt(0);

Once that was done, default realm selection would fall to our other claims provider (STS)

SelectHomeRealm ( PassiveIdentityProvidersDropDownList.SelectedItem.Value );

As you are no doubt aware, IIS has been supplanted in AD FS 2012 R2 with everything running in kernel-mode. Thankfully, all is not lost though. Some of the functionality previously possible under IIS has moved to Javascript and customization of the onload.js script is covered in a couple of scenarios here..

Variables previously living in .NET code-behind are visible in the View Source of the web page of the HRD screens. Options for both claims providers are visible.

….HRD.selection(‘http://adfs.mydomain.com/adfs/services/trust’);” onclick=”HRD.selection(‘http://adfs.mydomain.com/adfs/services/trust’); …….
….HRD.selection(‘https://sts.mydomain.com/login/’);” onclick=”HRD.selection(‘https://sts.mydomain.com/login/’); …….

HRD.selection is the main feature of interest. There’s an action on clicking the realm manually that specifies the HRD we require. We can automate this by moving the selection to the onload.js script, thereby automating selection of the PointSharp Claims Provider. First, we need to customize our AD FS setup.

We create a new theme called PointSharp based on the default AD FS theme

New-AdfsWebTheme –Name PointSharp –SourceName default

Export the default theme to allow our customization

Export-AdfsWebTheme –Name default –DirectoryPath c:\scripts

Copy the default onload.js to the C:\Scripts folder and edit it. At the end of the script, we simply add the reference to the PointSharp claims provider using the following syntax (replace with your own CP) :

HRD.selection(‘https://sts.mydomain.com/login/’);

We then import the new PointSharp theme including the modified onload.js.

Set-AdfsWebTheme -TargetName PointSharp -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path=”c:\scripts\onload.js”}

Activate the new theme.

Set-AdfsWebConfig -ActiveThemeName PointSharp

External users will be now routed to the PointSharp claims provider for login, whilst AD logon for internal users is still preserved. Please note that this is a GLOBAL change affecting all users of the AD FS farm and test extensively as it might not be your cup of tea…

Customizing AD FS Relying Parties in Windows Server 2012R2

March 21, 2016AD FS 3.0, AD FS R2, Customization, Relying Party, Windows Server 2012 R2AD FS 2012 R2; Customize Relying Parties; Windows Server 2012 R2; AD FS 3.0mylo

You may recall a previous post from a few weeks back, concerning customization of AD FS Relying Parties in Windows Server 2016. This functionality is now out-of-the-box in the latest version of AD FS. What was less well-documented was examples of how this could be accomplished in Windows Server 2012 R2. Pierre Audonet from Microsoft has thankfully solved that problem by posting this great article on Technet, that describes how to customize the onload.js script for registering custom URIs and illustrations to bind to your relying parties. Thanks Pierre!

Office 365 and MFA in AD FS 2016 (TP4)

March 11, 20162FA, AD FS 2016, AD FS 4.0, MFA, Multi-Factor Authentication, Office 365, Powershell, Relying Party, Windows Server 2016AD FS;ADFS;ADFS 4.0;ADFS 2016;MFA;2FA;O365;Multi-Factor Authentication;Office 365mylo

I recently added my O365 tenant, for testing purposes, to a AD FS in Windows Server 2016 TP4 and noticed something rather unusual. Via the AD FS Management snap-in it was not possible to assign an access-control policy in AD FS to my Office365 Relying Party (RP). Looking at my RP Trusts, I could see the Access Control Policy section was blank.

Right-clicking over a Relying Party in AD FS 2016 TP4 reveals an additional menu option for editing Access Control Policies:

Doing this on the O365 RP, only the Issuance Authorization Rules pipeline is visible, nothing else.

If we compare that with a normal RP.

Right-clicking and selecting access control policy, the administrator is presented with the option of choosing an appropriate policy for that RP: in our case, the desire to use multi-factor authentication.

Why this does not appear on the O365 pipeline, I can only speculate. It might be partially explained by the fact that creating the Office 365 Identity Platform relying party is normally performed via PowerShell and Microsoft wanted to keep this procedure ubiquitous across all versions of AD FS since v2.0. For example, the following command will create the Office 365 Identity Platform RP should it not exist.

Update-MsolFederatedDomain -SupportMultipleDomain -DomainName mydomain.com

Alternatively, following the principle of Occam’s Razor, it could be Microsoft have simply not got round to updating their code to detect AD FS 2016 during O365 Relying Party creation Smile Either way, from previous experiences of using MFA under Office 365 via AD FS 2012 R2, we do know it IS possible to use MFA with O365, so getting it working with AD FS 2016 just requires a little more effort. ..

Looking at our O365 RP in PowerShell (Get-ADFSRelyingPartyTrust) , we see no access policies configured. Under the O365 Relying Party it’s blank.

Compare this to an RP that does have an access control policy configured:

Since the UI doesn’t allow enabling MFA in an access policy for our O365 RP, playing around with PowerShell reveals that it is possible using the Set-ADFSRelyingPartyTrust cmdlet .

Set-AdfsRelyingPartyTrust -AccessControlPolicyName ‘Permit everyone and require MFA’ -targetidentifier https://login.microsoftonline.com/extSTS.srf

Check the O365 relying party (Get-ADFSRelyingPartyTrust) that an Access Control Policy has been added.

In the GUI, we then see the applied policy (Permit Everyone and require MFA) appearing.

Connect to Office 365 and we’re redirected to our AD FS instance. Enter the AD credentials for the user and then MFA kicks in:

As ever, play and test at your own peril Smile

AD FS Extranet Lockout: a case of the unintended pun

March 3, 2016AD FS 3.0, AD FS 4.0, AD FS R2, Extranet Lockout, Web Application Proxyaccount, AD FS 2012 R2, AD FS 3.0, AD FS 4.0, Brute Force, DoS, Extranet Lockout, FSMO, lockout, Password, PDC Emulator, Web Application Proxymylo

Just a very quick post, to describe a problem recently experienced at a customer.

Extranet Lockout, available in AD FS 2012 R2 and beyond, is a great security function that helps shield the AD password from remote attack. The normal Active Directory conventions for protecting an AD account include:

Password complexity
Account Lockout policies
Password Length

In a remote access scenario we need to consider the impact of users incorrectly entering their credentials versus scenarios where:

an attempt to maliciously lockout an account is attempted
a brute force attack is attempted on said account

Enter Extranet Lockout. By implementing this as a policy on the AD FS server, we can stipulate that after x number of invalid logon attempts via the Web Application Proxy, not to forward further requests to Active Directory, thereby protecting that account from lockout. For example, if our AD account lockout policy stipulates lockout at 10 logon attempts, we set our AD FS extranet policy at a lower value, say 5.

All good. There is a caveat though. Extranet Lockout capability does introduce a direct dependency between ADFS and the PDC Emulator Active Directory FSMO role. If you do plan on using this feature it’s worth considering this. Otherwise, extranet lockout may occur for very different reasons Smile Connectivity between the AD FS farm and the Domain Controller hosting this role is assumed. Should the situation arise where network connectivity between the two is broken, then users will be unable to logon at AD FS. This applies even where local domain controllers are co-located next to AD FS. It turns out that the PDC Emulator must be contacted on each logon attempt. This sort of issue can arise in an enterprise (e.g. global) setup, where AD is distributed, living in different data centers; the AD FS services in one and FSMO roles in another.

Should the above scenario occur, the immediate solution is to disable Extranet lockout. Longer term remedies may come in different forms:

Ensure a redundant path on the network exists between the two locations, to avoid single points of failure;
Consider moving the FSMO roles into the data center where AD FS lives to eliminate the WAN as a point of failure;
Reconsider use of Extranet Lockout until one of the above two are implemented… Disclaimer (see below)

However, the PDC Emulator role, hosted on a single domain controller, does introduce a single point of failure. FSMO roles can be seized or transferred, though this requires manual intervention. A good monitoring setup can also help reduce potential downtime by way of monitoring the PDC emulator or more specifically, the server running underneath it. Monitoring AD FS service health can also help identify problems if the tool used is capable of checking logon with a synthetic transaction (e.g. testing login with a SOAP message against a WS-Trust endpoint). Nonetheless, the fact remains that with the feature enabled, this represents a single point of failure into your AD FS setup. You’ll need to evaluate organizational requirements (security v availability) and whether the individual protection offered by Extranet Lockout outweighs the possible service availability impact that arises through failure of the server hosting the PDC Emulator.

Customizing AD FS Relying Parties in Windows Server 2016 (TP4)

February 15, 2016AD FS 2016, AD FS 4.0, AD FS VNext, Powershell, Relying Party, Windows Server 2012 R2, Windows Server 2016AD FS 4.0; Windows Server 2016; Relying Party; Customization; RP;mylo

A while back I was lucky enough to chat with a member of the AD FS development team, to compare notes and discuss features missing or lacking in the current release. One item that popped up and which I rued the absence of, was the ability to customize relying parties. It turned out that this was a fairly common feature request. This omission, I’m glad to see, has been addressed in AD FS under Windows Server 2016. While the changes described are mostly cosmetic, they do allow some basic changes to the look and feel of the environment and, most importantly, improve overall user experience. Let’s have a look at some of these.

Our basic configuration consists of a Windows Server 2016 TP4 server with the AD FS role installed and the presence of a relying party trust to a SAML-based web application. Our relying party, called ‘simpleSAMLphp Demo’, will be the guinea-pig for this little exercise, though it plays no real part besides kicking off the sign-in process (RP-initiated sign-on). All changes are made on the AD FS side to customize the login experience.

Message-Level

Here we tinker with messages presented to the connecting user/device via the Set-AdfsRelyingPartyWebContent cmdlet.

Set-AdfsRelyingPartyWebContent -TargetRelyingPartyName “simpleSAMLphp Demo” -CompanyName “Cepa Fidelis ” -OrganizationalNameDescriptionText “Enter your Access Onion account” -SignInPageDescription “This is for access to simpleSAMLphp Demo RP”

Logos and Illustrations

In addition to customizing messages, it’s also possible to present specific logo and illustrations on a per RP basis. Here we copy the content to the AD FS server and then run the Set-AdfsRelyingPartyWebTheme cmdlet :

Set-AdfsRelyingPartyWebTheme -TargetRelyingPartyName “simpleSAMLphp Demo” -Logo @{path=”C:\Content\rp1\logo.png”} -Illustration @{path=”C:\Content\rp1\illustration.png”}

…and connecting users are magically transported to the Tirol Winking smile

Page-level

This allows for page-level changes on a per RP basis. Previously in AD FS 2012 R2, such changes were possible only at the federation service level and thereby applicable to all relying parties.

Set-AdfsRelyingPartyWebTheme -TargetRelyingPartyName “simpleSAMLphp Demo” -OnLoadScriptPath @{path=”c:\content\rp1\onload.js”}

As with Windows Server 2012 R2, we can export the default theme to obtain the javascript (onload.js) that we wish to modify.

Export-AdfsWebTheme –Name default –DirectoryPath c:\content\default

One of the more common onload.js customization changes employed in AD FS 2012 R2 lay with a code change to support the use of sAMAccountName style formatting, similar to that supported in AD FS 2.0. This involved changing the onload.js file and then hardcoding the domain name into the form as described here.

Summary

Well, that’s nice, but these examples are just scratching the surface.. Take a look at the Get-AdfsRelyingPartyWebContent cmdlet and we can see there are multiple additional options that can be changed.

Let’s set a descriptor for additional authentication text.

Set-AdfsRelyingPartyWebContent -TargetRelyingPartyName “simpleSAMLphp Demo” -SignInPageAdditionalAuthenticationDescriptionText “This application requires additional authentication. Please choose the appropriate multi-factor authentication mechanism. Time wasters will be shot.”

Similarly, looking at the cmdlet (Set-AdfsRelyingPartyWebTheme) used to configure logos and illustrations, there’s also some hidden nuggets.

Here, we copy the web theme from one RP (simpleSAMLphp Demo) to another (Office 365).

Logon to Office 365 and the default AD FS theme has logos and illustration changed.

Note that the text/messaging has not been altered, because we did not elect to change this for our O365 RP via Set-AdfsRelyingPartyWebContent.

Explore… explore… have fun!

Certificate Requests and Server Core (and a little AD FS)

January 3, 2016AD FS 4.0, AD FS VNext, Certificates, Certreq, PKI, Powershell, Server Core, Windows Server 2016AD FS 4.0; Windows Server 2016; PKI; Certificates; SSL; Service Communications Certificate; PowerShellmylo

Just a quick post describing how to request an AD FS SSL (service communications) certificate from within Windows Server Core. The OS being used is Windows Server 2016, but, unless otherwise stated, this also applies to Windows Server 2012 R2.

For the enrollment and submission of the request, as well as parsing of the response, we’ll look at two mechanisms:

CERTREQ.EXE
PowerShell

The issuing authority is an Active Directory Certificate Services Enterprise CA.

CERTREQ.EXE

This is the legacy tool uses for certificate enrollment since Windows 2000. While a little cumbersome, it’s provide to be very useful over the years. It’s a command-line utility that parameterizes the request, submission and processing of the request file and certificate response to the Certificate Authority (CA). As a rule-of-thumb, it’s used where traditional enrollment mechanisms: web enrollment or MMC are not available or valid.

To begin a configuration (TXT) file needs to be created. This serves as an input file for completing information concerning the request. We’ll call it ADFSDEMO.TXT.

[Version]

Signature= $Windows NT$

[NewRequest]

Subject = “CN=adfsdemo.mydomain.com ¹, OU=Demo, O=Access_Onion, L=City, S=State/Province, C=NL” ;
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
Hashalgorithm = sha256 ²

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication OID ³

[RequestAttributes]
SAN=”dns=adfsdemo.mydomain.com&dns=enterpriseregistration.mydomain.com&dns=certauth.adfsdemo.mydomain.com” ⁴
;———————————————–
CertificateTemplate=”WebserverV2″

¹ is the common name for our certificate, i.e. the federation services URL.

²specifies a hash algorithm of SHA-256. Note that CNG algorithms are only supported in AD FS in Windows Server 2016. Use SHA-1 for older versions.

³is the Server Authentication object identifier (OID) required for an SSL certificate

⁴are Subject Alternate Names added for Workplace Join and the new certificate enrollment endpoint in Windows Server 2016 / AD FS 4.0

⁵ For third-party certificate authorities or a stand-alone AD CS CA, the CertificateTemplate=”WebserverV2″ line can be dropped.

On our AD Certificate Services Enterprise CA, support for Subject Alternate Names (SAN) needs to be enabled:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc&&net start certsvc

A template called WebServerV2 has been created (this is a copy of the WebServer built-in template, with compatibility level set to Windows Server 2003 and with certificate duration to 2 years). From CERTREQ.TXT, we generate a REQ (Request) file for submission to the local issuing authority

This is done with the following command:

CERTREQ –new ADFSDEMO.TXT ADFSDEMO.REQ

A response from the local policy filter

Active Directory Enrollment Policy

{521CC4EE-C923-4AE3-9123-A12F655CE123}

ldap:

CertReq: Request Created

And it’s now possible to submit the request file to the CA

CERTREQ –submit ADFSDEMO.REQ

The authority requests confirmation via a popup-window

Click on OK and the CA requests a location to save the generated certificate on the local disk of the server. For consistency, we call it ADFSDEMO.CER.

To complete the installation of the certificate the following command is run:

certreq –accept ADFSDEMO.CER

PowerShell

This section is the picture of conciseness as PowerShell simplifies the enrolment process for us. Here’s the request, submission and installation of the certificate, succinctly rolled-up into one command.

Get-Certificate -Template WebServerV2 -DnsName adfsdemo.mydomain.com,enterpriseregistration.mydomain.com,certauth.adfsdemo.mydomain.com -Subjectname -CertStoreLocation cert:\LocalMachine\My

Summary

Note that on the AD FS server, it’s possible to drop into Powershell to have a look at the issued certificate

dir cert:\localmachine\my

Assuming the server has already been domain-joined, has had the AD FS feature installed (Add-WindowsFeature ADFS-Federation) and a service account created in AD, then the configuration wizard of the AD FS farm can begin. Here’s an example of a WID-based deployment for the first farm node, utilizing the thumbprint of the SSL cert. The credentials for the service account are collected via the variable $cred, before being called in the Install-ADFSFarm cmdlet.

$cred=Get-Credential

Install-ADFSFarm –CertificateThumbprint 57C0D558EC02… –FederationServiceDisplayName ‘Access Onion’ –FederationServiceName adfsdemo.mydomain.com –ServiceAccountCredential $cred –OverwriteConfiguration

Till next time..

Interoperability scenarios with simpleSAMLphp and AD FS

January 7, 2015AD FS 2.0, AD FS 2.1, AD FS 3.0, AD FS R2, Identity Provider, SAML 2.0, Service Provider, SimpleSAMLphpAD FS, AD FS 2.0, AD FS 2.1, AD FS 3.0, AD FS R2, ADFS, Identity Provider, IdP, SAML 2.0, Service Provider, simpleSAMLphp, SPmylo

Hello all and Happy New Year!

In this post we’ll look at inter-operability scenarios involving simpleSAMLphp and Active Directory Federation Services (AD FS).

simpleSAMLphp is a native PHP application that provides support for a number of authentication protocols/methods. Its origins lie with the SAML protocol, but it also provides support for a range of other authentication protocols (e.g. WS-Federation, OAuth, LDAP, RADIUS). It’s a very capable and robust platform that can run on a number of different web surfaces.

In this post we’ll be covering identity federation scenarios with simpleSAMLphp and our usual incumbent: AD FS, getting the two to play nicely together. We’ll look at both sides of the coin via a:

(a) simpleSAMLphp Service Provider (SP) / AD FS Identity Provider (IdP) pairing.

(b) simpleSAMLphp Identity Provider (IdP) / AD FS Service Provider (SP) pairing;

In both cases, setup is applicable to both AD FS 2.0 and AD FS 3.0/2012 R2.

For an introduction to simpleSAMLphp, start here. It runs on a wide variety of web servers (Apache, Nginx, IIS among others). In these scenarios we’ll use IIS as our web server for deployment.

The latest PHP libraries can be obtained through the IIS Web Platform Installer. In this setup PHP 5.5.x is used and simpleSAMLphp 1.13.x.

The latest binaries for simpleSAMLphp are available via their website (http://www.simplesamlphp.org).

For SAML integration with AD FS, SSL certificate(s) are required to secure the IIS website(s) and the underlying simpleSAMLphp application(s). This pre-requisite stems from AD FS supporting HTTPS only. In the test configuration described here, the simpleSAMLphp instances are also published behind an AD FS Web Application Proxy (WAP). The pass-through (reverse) proxy functions of the WAP are then used to publish the simpleSAMLphp IdP/SP endpoints. On the IIS side, Server Name Indication (SNI) is also enabled.

The test setup used here comprises four virtual machines:

(i) An Active Directory Domain Services (AD DS) and Certificate Services (AD CS) node;

(ii) An Active Directory Federation Services (AD FS) 2012 R2 Farm node;

(iii) A Web Application Proxy (WAP) 2012 R2 node;

(iv) An IIS 8.5 Web server with php loaded as an application. This hosts the simpleSAMLphp Identity Provider (IdP), Service Provider and test applications, under dedicated websites/paths.

The AD DS and AD CS instances provide authentication and the SSL certificates for the IIS web services. On the Web Application Proxy (WAP) a third-party certificate is installed. This goes somewhat against the grain with Microsoft recommendations of using the same certificate pairing on the WAP and AD FS. However, since we’re not using device management/Workplace Join in this scenario, which I believe the requirements stem from, there are no immediate issues.

On our “application server” IIS is installed. Herein, I’ve created four websites (idp1, idp2, site1 and site2), representing two simpleSAMLphp SAML 2.0 identity providers and two simpleSAMLphp service providers. The website configuration can be seen in the below graphic:

In each case the simpleSAMLphp files are unzipped to a folder per function, e.g:

· c:\inetpub\idp1 and c:\inetpub\idp2 for the SAML identity provider (IdP) root paths

· c:\inetpub\web1 and c:\inetpub\web2 for the SAML server provider (SP) root paths

In IIS Manager, we can see the folder structure of an exploded simpleSAMLphp configuration for a single instance.

In each instance, under the config folder, a baseurlpath setting in the config.php file is set to indicate the root path for simpleSAMLphp content. By default, this is set to www. Should we wish to change this, such that the desired path to our simpleSAMLphp is say https://idp1.mydomain.com/auth rather than the default https://idp1.mydomain.com/www, then we make the change to the baseurlpath from ‘www/’ to ‘auth/‘ and rename the www folder accordingly. Note the use of the trailing slash that should always be present in the baseurlpath value.

From a simpleSAMLphp standpoint, there’s a few tweaking steps required before we get going in our test setup.

By default, a secretsalt setting is configured in the config.php file and it’s strongly recommended to change this. This should be a random string, as the salt is used to generate cryptographically secure hashes.

Also, we should consider getting logging working properly. This will reap dividends later when it comes to troubleshooting. As with other settings so far mentioned, logging settings are defined in config.php.

Firstly, debug is enabled via setting:

‘debug’ => TRUE,

By default, the logging level is set to SYSLOG. Here we’ll also switch the logging level to DEBUG and then alter the handler to file. This is done by setting the following values:

‘logging.level’ => SimpleSAML_Logger::DEBUG,

‘logging.handler’ => ‘file’,

In later sections of the CONFIG.PHP file, the output filename is also specified. This writes to the log folder of the instance.

‘logging.logfile’ => ‘simpleSAMLphp.log’,

This log file lives under the /log folder of the simpleSAMLphp instance. However, simply specifying the file to use is not sufficient for logging under IIS to work. For that little feat, the IUSR needs to been given modify access to the simpleSAMLphp logfile.

Repeat this process for each instance of simpleSAMLphp running under IIS on your server(s), giving the IUSR account the appropriate permissions.

Once logging has been configured, we can see the benefits of verbose logging as it provides a rich level of detail. Here’s a sample:

Sep 19 17:30:19 simpleSAMLphp DEBUG [5805446797] <Attribute xmlns:a=”http://schemas.xmlsoap.org/ws/2009/09/identity/claims” Name=”http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip” a:OriginalIssuer=”CLIENT CONTEXT”>

Sep 19 17:30:19 simpleSAMLphp DEBUG [5805446797] <AttributeValue>172.16.x.6</AttributeValue>