Category Archives: AD FS R2

AD FS – Old Habits (idpinitiatedsignon.aspx)

June 16, 2016AD FS 2.0, AD FS 2016, AD FS 3.0, AD FS R2, AD FS VNext, ADFS, Windows Server 2012 R2, Windows Server 2016AD FS 2.0, AD FS 3.0, AD FS R2, ADFS, SAML 2.0, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016mylo

Usually after building an AD FS/WAP farm I test locally from the Internet and the Intranet using (to-date) a fairly reliable source of verification that the service is up and running. I’m referring to, of course, the IdP sign-in page (../adfs/ls/idpinitiatedsignon.aspx). This offers a simple way of validating login via AD FS.

With Windows Server 2016, this page is no longer surfaced “out-of-the-box”.. if you want to do a SAML 2.0 IdP-initiated sign-on, this functionality will need to be enabled. Otherwise, connecting to the obligatory sign-in page, will produce an error similar to the following:

2016-06-10_18-06-00

Testing from the Web Application Proxy itself directly, pointing to the AD FS farm, we may see an HTTP 503 Service Not Available error.

Via Powershell, it can be switched back on:

set-adfsproperties -EnableIdpInitiatedSignon $True

Now, before we get too hasty, knowing that we can turn it back on versus actually turning it back on are two different things 🙂 If it’s directly required, IdP-driven sign-on is a feature of your federation setup, then you may have no choice. For example, certain SaaS/Cloud applications simply don’t support SP-initiated workflow.

For some organizations I’ve worked for though, this page is seen as insidious because it reveals the relying parties configured on your AD FS farm anonymously.

AD FS 2.0

2016-06-16_18-57-06

AD FS 2012 R2

2016-06-16_18-58-34

Going back to AD FS 2.0, customers are often unwilling to float this data anonymously via the sign-in page and want to hide the RP enabled trusts visible on the page, sometimes re-writing the code behind to do so or even hiding it from the browser via obfuscation.

Whatever your view, it’s off by default in Windows Server 2016. Those of a paranoid bent may now breathe …………. in….. out….in… out…. there you go 🙂

Back to the Home Realm Discovery in 2012 R2

May 20, 20162FA, AD FS R2, Customization, Home Realm Discovery, MFA, Multi-Factor Authentication, PointSharp, Strong Authentication, Windows Server 2012 R2mylo

Hello all. You may recall from older posts on this blog (2012) that we’ve played around in the past with Home Realm Discovery (HRD) in AD FS.

First with IWA and forms logon here and then a little bit more for good measure. Since then it’s been a little quiet on the HRD fence and not a subject delved into much since. That is, until an issue a colleague and I ran into an issue recently… confronted with the following AD FS R2 access conundrum:

“ How can we route (automatically) external logon requests to a third-party claims provider, continue to route internal logon requests to the native AD claims provider (i.e. maintain transparent SSO), eliminating any Home Realm Discovery (HRD) for our users to have to walk through and select?”

Or… to put it more simply. How can one automatically route external route requests to claims provider A, continue to route internal requests to (AD) claims provider B, whilst altogether avoiding Home Realm Discovery (HRD) for all users?

We’ll discuss the exact use case in a moment. This is a RP-initiated work-flow. No IDP-initiated flow or smart links are allowed.

First, a bit of background. Let’s head back to the first look posts on AD FS 2012 R2 in 2013/2014. In there I wrote:

“In AD FS R2, HRD customization options through PowerShell now allow us to determine how the UI is presented to the end-user during logon, based on:

1. target suffix resolution – providing suffix routing on a per claims provider basis
2. limiting the claims providers visible for the relying party concerned”

With the move to kernel-mode in R2, customization previously possible under IIS in AD FS 2.0 was no longer applicable. To redress this issue and to provide greater flexibility, the above customization options were provided. Suffix routing enables AD FS 2012 R2 to select an appropriate claims provider based on the domain suffix credentials provided by that user. Broadly speaking, this is just how O365/Azure AD works in attempting to discover the Federated home realm v Microsoft realm of the connecting user. Similarly, for on-premise AD FS, suffix routing enables us to refine our logon decision-making based on the home realm of the connecting user. Here’s an example:

Users from the Cranky Nuts organization, connecting via AD FS, use a @crankynuts.nl domain suffix. Accordingly, we need to send authentication requests to the Cranky Nuts Identity Provider.
Users from the Wobbly Wheels organization, connecting via AD FS, use a @wobblywheels.be domain suffix. Accordingly, we need to send authentication requests to the Wobbly Wheels Identity Provider.

In AD FS 2012 R2 we can configure this within Powershell:

Set-AdfsClaimsProviderTrust –TargetName “Cranky Nuts IdP” –OrganizationalAccountSuffix @(“crankynuts.nl”)
Set-AdfsClaimsProviderTrust –TargetName “Wobbly Wheels IdP” –OrganizationalAccountSuffix @(“wobblywheels.be”)

Wonderful! Using this approach can be a little hit and miss though. It’s making certain assumptions about the level at which we’re prepared to divert authentication on, i.e. the domain level. That’s not always the case.

We could, alternatively, opt for the other method: targeting claims provider selection at the Relying Party Trust level. Again, this is useful functionality. Here’s an example.

Set-AdfsRelyingPartyTrust -TargetName “BodgeIT Inventory ” -ClaimsProviderName @(“crankynuts.nl”)

This makes the “BodgeIT Inventory” Relying Party/Web Application, available to users of the Cranky Nuts organization, bypassing the local AD claims provider. Should we need to extend access to additional claims providers, such as our local Active Directory, then we can add that issuer to the mix. The downside of this option, is that we’re forced into making a home-realm discovery selection during logon.

The Suffix and RP-specific claims provider options, therefore, do have some limitations. Indeed, for the scenario that we were faced with, neither option fit. In our situation, two claims providers existed for a single organization, with each CP containing the same set of users. The use case? Two-factor authentication. The upstream claims provider (CP) provides two-factor authentication (2FA) for users connecting from the outside , while the incumbent local AD claims provider covers local Windows logon.

Of course, two claims providers means Home Realm Discovery (HRD) and HRD can be confusing. We can remedy this for internal users, ensuring they don’t get the HRD prompt by defaulting to the use of the local AD claims provider via Powershell:

Set-ADFSProperties –IntranetUseLocalClaimsProvider $True

This doesn’t solve the problem for access from the outside. Moreover, we expressly wish to send all connecting users to our 2FA claims provider, rather than to the in-build AD claims provider…. We could use auxiliary authentication provided by the MFA Adapter in AD FS 2012 R2, thereby eliminating the use of the upstream claims provider. However, that might not be feasible as:

Leading with the AD password as the primary authentication credential may not be allowed.
The vendor has an MFA adapter for AD FS 2012 R2.

Even where the latter is available, the (security) policy prerogative might be that use of 1) is not allowed, thereby overriding (2).

<PLUG>To demonstrate issue, cue favorite authentication platform PointSharp (</PLUG>

PointSharp possess both a Security Token Service (STS) that can stip atop AD FS as a 2FA claims provider role and also have an MFA adapter for AD FS 2012 R2 / 2016. Since use of the MFA adapter has been prohibited by the customer according to the rules above (not wanting to lead with AD password as a primary authentication credential), the STS as a Claims Provider was selected instead.

You’ll recall we turned off HRD for internal users by setting the IntranetUseLocalClaimsProvider setting to TRUE. With the PointSharp STS configured as a claims provider, external users will get continue to get the HRD screen as AD FS cannot determine where the user lives without the appropriate “hint”. In AD FS 2.0 it was possible to workaround this by customizing the AD FS 2.0 proxy configuration, modifying the Page_Init section of the homerealmdiscovery.aspx.cs file. We could then remove Active Directory as a claims provider (0)

PassiveIdentityProvidersDropDownList.Items.RemoveAt(0);

Once that was done, default realm selection would fall to our other claims provider (STS)

SelectHomeRealm ( PassiveIdentityProvidersDropDownList.SelectedItem.Value );

As you are no doubt aware, IIS has been supplanted in AD FS 2012 R2 with everything running in kernel-mode. Thankfully, all is not lost though. Some of the functionality previously possible under IIS has moved to Javascript and customization of the onload.js script is covered in a couple of scenarios here..

Variables previously living in .NET code-behind are visible in the View Source of the web page of the HRD screens. Options for both claims providers are visible.

….HRD.selection(‘http://adfs.mydomain.com/adfs/services/trust’);” onclick=”HRD.selection(‘http://adfs.mydomain.com/adfs/services/trust’); …….
….HRD.selection(‘https://sts.mydomain.com/login/’);” onclick=”HRD.selection(‘https://sts.mydomain.com/login/’); …….

HRD.selection is the main feature of interest. There’s an action on clicking the realm manually that specifies the HRD we require. We can automate this by moving the selection to the onload.js script, thereby automating selection of the PointSharp Claims Provider. First, we need to customize our AD FS setup.

We create a new theme called PointSharp based on the default AD FS theme

New-AdfsWebTheme –Name PointSharp –SourceName default

Export the default theme to allow our customization

Export-AdfsWebTheme –Name default –DirectoryPath c:\scripts

Copy the default onload.js to the C:\Scripts folder and edit it. At the end of the script, we simply add the reference to the PointSharp claims provider using the following syntax (replace with your own CP) :

HRD.selection(‘https://sts.mydomain.com/login/’);

We then import the new PointSharp theme including the modified onload.js.

Set-AdfsWebTheme -TargetName PointSharp -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path=”c:\scripts\onload.js”}

Activate the new theme.

Set-AdfsWebConfig -ActiveThemeName PointSharp

External users will be now routed to the PointSharp claims provider for login, whilst AD logon for internal users is still preserved. Please note that this is a GLOBAL change affecting all users of the AD FS farm and test extensively as it might not be your cup of tea…

Customizing AD FS Relying Parties in Windows Server 2012R2

March 21, 2016AD FS 3.0, AD FS R2, Customization, Relying Party, Windows Server 2012 R2AD FS 2012 R2; Customize Relying Parties; Windows Server 2012 R2; AD FS 3.0mylo

You may recall a previous post from a few weeks back, concerning customization of AD FS Relying Parties in Windows Server 2016. This functionality is now out-of-the-box in the latest version of AD FS. What was less well-documented was examples of how this could be accomplished in Windows Server 2012 R2. Pierre Audonet from Microsoft has thankfully solved that problem by posting this great article on Technet, that describes how to customize the onload.js script for registering custom URIs and illustrations to bind to your relying parties. Thanks Pierre!

AD FS Extranet Lockout: a case of the unintended pun

March 3, 2016AD FS 3.0, AD FS 4.0, AD FS R2, Extranet Lockout, Web Application Proxyaccount, AD FS 2012 R2, AD FS 3.0, AD FS 4.0, Brute Force, DoS, Extranet Lockout, FSMO, lockout, Password, PDC Emulator, Web Application Proxymylo

Just a very quick post, to describe a problem recently experienced at a customer.

Extranet Lockout, available in AD FS 2012 R2 and beyond, is a great security function that helps shield the AD password from remote attack. The normal Active Directory conventions for protecting an AD account include:

Password complexity
Account Lockout policies
Password Length

In a remote access scenario we need to consider the impact of users incorrectly entering their credentials versus scenarios where:

an attempt to maliciously lockout an account is attempted
a brute force attack is attempted on said account

Enter Extranet Lockout. By implementing this as a policy on the AD FS server, we can stipulate that after x number of invalid logon attempts via the Web Application Proxy, not to forward further requests to Active Directory, thereby protecting that account from lockout. For example, if our AD account lockout policy stipulates lockout at 10 logon attempts, we set our AD FS extranet policy at a lower value, say 5.

All good. There is a caveat though. Extranet Lockout capability does introduce a direct dependency between ADFS and the PDC Emulator Active Directory FSMO role. If you do plan on using this feature it’s worth considering this. Otherwise, extranet lockout may occur for very different reasons Smile Connectivity between the AD FS farm and the Domain Controller hosting this role is assumed. Should the situation arise where network connectivity between the two is broken, then users will be unable to logon at AD FS. This applies even where local domain controllers are co-located next to AD FS. It turns out that the PDC Emulator must be contacted on each logon attempt. This sort of issue can arise in an enterprise (e.g. global) setup, where AD is distributed, living in different data centers; the AD FS services in one and FSMO roles in another.

Should the above scenario occur, the immediate solution is to disable Extranet lockout. Longer term remedies may come in different forms:

Ensure a redundant path on the network exists between the two locations, to avoid single points of failure;
Consider moving the FSMO roles into the data center where AD FS lives to eliminate the WAN as a point of failure;
Reconsider use of Extranet Lockout until one of the above two are implemented… Disclaimer (see below)

However, the PDC Emulator role, hosted on a single domain controller, does introduce a single point of failure. FSMO roles can be seized or transferred, though this requires manual intervention. A good monitoring setup can also help reduce potential downtime by way of monitoring the PDC emulator or more specifically, the server running underneath it. Monitoring AD FS service health can also help identify problems if the tool used is capable of checking logon with a synthetic transaction (e.g. testing login with a SOAP message against a WS-Trust endpoint). Nonetheless, the fact remains that with the feature enabled, this represents a single point of failure into your AD FS setup. You’ll need to evaluate organizational requirements (security v availability) and whether the individual protection offered by Extranet Lockout outweighs the possible service availability impact that arises through failure of the server hosting the PDC Emulator.

Interoperability scenarios with simpleSAMLphp and AD FS

January 7, 2015AD FS 2.0, AD FS 2.1, AD FS 3.0, AD FS R2, Identity Provider, SAML 2.0, Service Provider, SimpleSAMLphpAD FS, AD FS 2.0, AD FS 2.1, AD FS 3.0, AD FS R2, ADFS, Identity Provider, IdP, SAML 2.0, Service Provider, simpleSAMLphp, SPmylo

Hello all and Happy New Year!

In this post we’ll look at inter-operability scenarios involving simpleSAMLphp and Active Directory Federation Services (AD FS).

simpleSAMLphp is a native PHP application that provides support for a number of authentication protocols/methods. Its origins lie with the SAML protocol, but it also provides support for a range of other authentication protocols (e.g. WS-Federation, OAuth, LDAP, RADIUS). It’s a very capable and robust platform that can run on a number of different web surfaces.

In this post we’ll be covering identity federation scenarios with simpleSAMLphp and our usual incumbent: AD FS, getting the two to play nicely together. We’ll look at both sides of the coin via a:

(a) simpleSAMLphp Service Provider (SP) / AD FS Identity Provider (IdP) pairing.

(b) simpleSAMLphp Identity Provider (IdP) / AD FS Service Provider (SP) pairing;

In both cases, setup is applicable to both AD FS 2.0 and AD FS 3.0/2012 R2.

For an introduction to simpleSAMLphp, start here. It runs on a wide variety of web servers (Apache, Nginx, IIS among others). In these scenarios we’ll use IIS as our web server for deployment.

The latest PHP libraries can be obtained through the IIS Web Platform Installer. In this setup PHP 5.5.x is used and simpleSAMLphp 1.13.x.

The latest binaries for simpleSAMLphp are available via their website (http://www.simplesamlphp.org).

For SAML integration with AD FS, SSL certificate(s) are required to secure the IIS website(s) and the underlying simpleSAMLphp application(s). This pre-requisite stems from AD FS supporting HTTPS only. In the test configuration described here, the simpleSAMLphp instances are also published behind an AD FS Web Application Proxy (WAP). The pass-through (reverse) proxy functions of the WAP are then used to publish the simpleSAMLphp IdP/SP endpoints. On the IIS side, Server Name Indication (SNI) is also enabled.

The test setup used here comprises four virtual machines:

(i) An Active Directory Domain Services (AD DS) and Certificate Services (AD CS) node;

(ii) An Active Directory Federation Services (AD FS) 2012 R2 Farm node;

(iii) A Web Application Proxy (WAP) 2012 R2 node;

(iv) An IIS 8.5 Web server with php loaded as an application. This hosts the simpleSAMLphp Identity Provider (IdP), Service Provider and test applications, under dedicated websites/paths.

The AD DS and AD CS instances provide authentication and the SSL certificates for the IIS web services. On the Web Application Proxy (WAP) a third-party certificate is installed. This goes somewhat against the grain with Microsoft recommendations of using the same certificate pairing on the WAP and AD FS. However, since we’re not using device management/Workplace Join in this scenario, which I believe the requirements stem from, there are no immediate issues.

On our “application server” IIS is installed. Herein, I’ve created four websites (idp1, idp2, site1 and site2), representing two simpleSAMLphp SAML 2.0 identity providers and two simpleSAMLphp service providers. The website configuration can be seen in the below graphic:

In each case the simpleSAMLphp files are unzipped to a folder per function, e.g:

· c:\inetpub\idp1 and c:\inetpub\idp2 for the SAML identity provider (IdP) root paths

· c:\inetpub\web1 and c:\inetpub\web2 for the SAML server provider (SP) root paths

In IIS Manager, we can see the folder structure of an exploded simpleSAMLphp configuration for a single instance.

In each instance, under the config folder, a baseurlpath setting in the config.php file is set to indicate the root path for simpleSAMLphp content. By default, this is set to www. Should we wish to change this, such that the desired path to our simpleSAMLphp is say https://idp1.mydomain.com/auth rather than the default https://idp1.mydomain.com/www, then we make the change to the baseurlpath from ‘www/’ to ‘auth/‘ and rename the www folder accordingly. Note the use of the trailing slash that should always be present in the baseurlpath value.

From a simpleSAMLphp standpoint, there’s a few tweaking steps required before we get going in our test setup.

By default, a secretsalt setting is configured in the config.php file and it’s strongly recommended to change this. This should be a random string, as the salt is used to generate cryptographically secure hashes.

Also, we should consider getting logging working properly. This will reap dividends later when it comes to troubleshooting. As with other settings so far mentioned, logging settings are defined in config.php.

Firstly, debug is enabled via setting:

‘debug’ => TRUE,

By default, the logging level is set to SYSLOG. Here we’ll also switch the logging level to DEBUG and then alter the handler to file. This is done by setting the following values:

‘logging.level’ => SimpleSAML_Logger::DEBUG,

‘logging.handler’ => ‘file’,

In later sections of the CONFIG.PHP file, the output filename is also specified. This writes to the log folder of the instance.

‘logging.logfile’ => ‘simpleSAMLphp.log’,

This log file lives under the /log folder of the simpleSAMLphp instance. However, simply specifying the file to use is not sufficient for logging under IIS to work. For that little feat, the IUSR needs to been given modify access to the simpleSAMLphp logfile.

Repeat this process for each instance of simpleSAMLphp running under IIS on your server(s), giving the IUSR account the appropriate permissions.

Once logging has been configured, we can see the benefits of verbose logging as it provides a rich level of detail. Here’s a sample:

Sep 19 17:30:19 simpleSAMLphp DEBUG [5805446797] <Attribute xmlns:a=”http://schemas.xmlsoap.org/ws/2009/09/identity/claims” Name=”http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip” a:OriginalIssuer=”CLIENT CONTEXT”>

Sep 19 17:30:19 simpleSAMLphp DEBUG [5805446797] <AttributeValue>172.16.x.6</AttributeValue>