Tag Archives: Strong Authentication

Step-Up Authentication Scenarios with AD FS 2.0 Part I

May 17, 2013AD FS 2.0, Claims-based Authentication, OpenAM, SAML 2.0, SimpleSAMLphpAD FS 2.0, AuthnContextClassRef, ForceAuthn, OpenAM, SAML 2.0, Step-Up Authentication, Strong Authenticationmylo

This post refers to additional logon schemes that can be supported in AD FS by forcing users to re-authenticate or step-up/step-down authentication to federated web applications. It was prompted by a recent request from a customer :

“We wish to connect a SAML 2.0 Service Provider (SP) to AD FS. For security reasons, we require our internal users to logon (again) when connecting to this web application. All users connecting through the AD FS proxy should be prohibited access.”

Whether we choose to call this process re-authentication or step-up authentication really depends on the access case. To meet the requirement, we’ll be breaking single sign-on (SSO) when accessing the web application above by sending parameterised requests from the web application to AD FS, specifying how to handle authentication uniquely for this app.

Some folks may have pre-conceived ideas about what constitutes step-up, perhaps because it is often associated with multi-factor authentication. While the two do complement one another nicely, step-up is not necessarily multi-factor. Rather, use of step-up as an access mechanism, is governed by the strength of authentication we wish to accrue to access, at a level commensurate with requirements for protecting that resource. We can use weaker (single factor) authentication where this is deemed sufficient or appropriate. As an example, a customer may employ two-factor authentication on the outside/edge for all users and then elect to use the AD password, as an additional step-up mechanism for corporate users only to gain access to internal resources. In authentication strength terms, this is step-down authentication, but in functional terms, it’s designed as a step-up method.

I make the above point, because in the examples described here, we have users logging onto their workstations either using weak (username/password) or strong (two-factor) authenticating against other federated web applications with these credentials. In each case, we plan on forcing users to logon again when they access this particular SAML 2.0 web application to “step-up” security.

This is an internal only access scenario for the enterprise, meaning that users connecting via the AD FS Proxy should be denied access. Since AD FS Rollup 1, we’ve been able to specify Issuance Authorization Rule on the relying party (SAML 2.0 SP) pipeline that allows requests sourced from the AD FS Proxy to be identified and acted on via the claim description: http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy

Accordingly, we’ll create a deny Issuance Authorization Rule on our SAML web application so that users connecting through the proxy will be blocked.

exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]) => issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

Sample Scenario

In a default AD FS farm setup, a domain-joined Windows machine internal user connects to the AD FS farm and authenticates via the Integrated Windows Authentication (IWA) handler using Kerberos/NTLM. To alter this behaviour, for a given application, and force the user to re-authenticate, we must ignore the existing session cookie.

With WS-Federation, we can do this at AD FS, via a smart link, by specifying the wauth parameter:

https://sts.mydomain.com/adfs/ls/?wa=wsignin1.0&wtrealm=https://rp.mydomain.com &wauth=urn:oasis:names:tc:SAML:1.0:am:password

For a relying party using the WS-Federation Passive Requester Profile (WS-PRP) we can also specify the request in the query string or within application code also via wauth.

This is a SAML 2.0-based use case though. As a backgrounder, I suggest reading about SAML Authentication Context Classes and Strengths with AD FS. Within the SAML 2.0 protocol, SAML service provider (SP) can emits certain values in the SAML request that ensures that the required authentication method from the SP is honoured by AD FS. From an SAML 2.0 protocol standpoint, this may be accomplished by:

Setting an Authentication Context Class Reference (AuthnContextClassRef) in the requested authentication context from the Service Provider;
Specifying the use of Force Authentication (ForceAuthn) in the request set to a value of true;
Use of a Comparison rule that is set to exact to expressly set the authentication method. Other settings are also possible (which AD FS supports) but are not covered in this post.

Let’s look at the farm-connected conventions mentioned above in a bit more detail.

Authentication Context Class Reference

In Windows SSO logon scenarios, the AD FS integrated handler uses the SAML AuthnContextClassRef of urn:federation:authentication:windows. On our SAML 2.0 web application, we’ll request a authentication context class reference of urn:oasis:names:tc:SAML:2.0:ac:classes:Password, so that the forms handler (in AD FS) is targeted as the desired authentication handler.

Force Authentication

The specification of ForceAuthn=true in the initial SAML request from the service provider specifies that the Identity Provider (IdP) should force re-authentication of the user, even if they possess a valid session with AD FS.

Comparison Rule

The SAML 2.0 protocol supports the use of a comparison rule to determine the level of precision to be accorded to the authentication request. If none is specified, AD FS will assume that the attribute is set to exact, meaning that authentication should conform exactly to the AuthnContextClassRef request and is passed to the appropriate handler.

Configuring Service Providers

I’ve used two examples here:

OpenAM
SimpleSAMLphp

I also planned on including Shibboleth, but hosed my configuration in the process, by reverting the wrong Snapshot of my VM during testing.. *cough*… sorry about that Smile

OpenAM

Using OpenAM as a SAML SP example, we’ll invoke SP-initiated sign-on through the spSSOInit.jsp page. In the query string we’re specifying the authentication context and the desired force authentication.

https://myapp.mydomain.com/openam/saml2/jsp/spSSOInit.jspmetaAlias=/acs/sp&realm=acs &ForceAuthn=true&AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password &idpEntityID= http://adfs.mydomain.com/adfs/services/trust&RelayState=https%3A%2F%2Fmyapp.mydomain.com%2Fopenam%2Fconsole

Note: The above syntax is valid but watch out for white spaces in the example above, not to mention your own domain name. I’ve added spaces to make the text more legible.

AD FS will parse the request based on the emboldened items in the query string and ask the user to re-authenticate via forms sign-in.

SimpleSAMLphp

In SimpleSAMLphp, we can set the necessary settings in the configuration file authsources.php, specifying the authentication context and force authentication requirement.

‘ForceAuthn’ => TRUE,
‘AuthnContextClassRef’ => ‘urn:oasis:names:tc:SAML:2.0:ac:classes:Password’,

Authentication Options

How we choose to implement our step-up/re-authentication component depends on the question of sufficiency and what is an acceptable method to choose. For this exercise, this could mean:

re-using the Windows logon identity (re-authenticate);
using an alternate identity from within the same AD forest (step-up);
using an alternate identity residing in a connected forest (step-up);
using an alternate authentication service; a third-party application that provides stronger forms of authentication

Option 1 – Re-Authentication

The simplest option sees the the user replaying their AD credentials, logging on again via the AD FS form, before gaining access to the web application. This is clearly not step-up and doesn’t afford any significant additional protection, , but may fulfil compliance/auditing requirements for access.

Advantages	Disadvantages
Simple (uses same identity)	Re-authentication not step-up authentication (same password policy)
Protects against inadvertent access to the application if the user is already logged on (e.g. where user fails to lock OS)	Security gain is nominal. Requires claims authorization rules on the relying party to differentiate between valid/invalid users.

Option 2 – Step-Up Same Forest (username/password)

Option 2 uses another set of credentials held within the same AD FS forest. Access to the SaaS application is limited to those users using these credentials (i.e. their “step-up” identity) and an authorization rule to supplement this.

Advantages	Disadvantages
Authentication is stepped using another identity besides the corporate logon	More complex. Requires additional identity to represent users (user management)
Supports use of stronger password policies on the second identity	Security gain is moderate. Same factor (username / password) for step-up identity
	Less user friendly (extra identity)
	Shared authentication sources between identities (no isolation)

Option 3 – Step-Up Connected Forest (username/password)

A more complex rendition of this using multiple forests with a single AD FS instance (Option 3):

In the above setup we have an account forest for our corporate users and a resource forest, where the AD FS server lives (with the AD FS application pool account running in the account forest). A one way forest trust between the two exists. In this option, the step-up identities reside in the resource forest.

Advantages	Disadvantages
Authentication is stepped using another identity besides the current logon	More complex. Requires additional identity / shadow account represented in the remote forest (user management)
Supports use of stronger password policies on the alternate identity	Security gain is moderate. Same factor (username/ password) for step-up identity
Shadow account can use same sAMAccountName in remote forest	Less user friendly (extra identity)
Greater isolation / independence of action from account forest (supports selective authentication)	More complex to manage

For Options 2 and 3, we can also provide further refinement by using AD fine-grained password policies to implement a stronger password policy / account lockout policy applicable to our web application, that exceeds the ordinary password policy levels used for for corporate AD users.

In all above cases, we should consider further restraining access by passing custom claims on the relying party, to assist in determining whether the user in question should have access.

From an AD FS standpoint, there are no configuration changes required in the cases described thus far. You may note, however, that I’ve not yet mentioned IdP-Initiated Sign-On methods. SHAME! Well, there’s a couple of reasons for this, by which I’ll conveniently recuse myself Smile with tongue out

Firstly, there a nice solution posted on CodePlex, that works similar to the actions described in this post, albeit by customizing the AD FS sign-in pages instead. It allows assigning the use of forms logon logic to relying parties and also covers IdP-Initiated Sign-On and WS-Federation. Relying parties registered to use the forms logon are registered in AD FS web.config file, thereby bound to the forms handler.
Also, some customers may be unwilling to modify their default AD FS setup because of a fear that it will throw them outside the realms of Microsoft support. However, if you do wish to support IdP-Initiated sign-on scenarios using the methods above (AuthnContextClassRef and ForceAuthn), then I’m afraid you don’t have much choice as customization of the code-behind page for idpinitiatedsignon.aspx.cs is required. Without these changes, sign-on, either via logintoRP or relaystate query parameters, will fail as the desired authentication context (AuthnContextClassRef) has not been set and is not passed by the IdP to the service provider. I used the following MSDN article as a reference to customize the idpinitiatedsignon.aspx.cs and then tested this using logintoRP parameter, with the query string example below.

https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignon.aspx?logintorp=https:/app.mydomain.com/web1/&RequestedAuthenticationContext=urn:oasis: names:tc:SAML:2.0:ac:classes:Password&ForceAuthentication=true

In Part II, we’ll look at step-up options with stronger / multi-factor authentication methods (aka Option 4). See ya!

Claims-based access with AD FS 2.0 and PointSharp Identity Federation

April 18, 2013AD FS 2.0, Claims-based Authentication, PointSharp, Strong AuthenticationAD FS 2.0, Claims-based Authentication, PointSharp, Strong Authenticationmylo

In previous articles we’ve looked at inter-op scenarios with AD FS using gateway solutions such as Juniper SA, Microsoft Forefront UAG 2010 and access management platforms such as OpenAM. In this post, we’ll look at using AD FS 2.x with a Windows Identity Federation (WIF)-based Security Token Service (STS) from PointSharp (www.pointsharp.com). This provides us with a broader authentication platform than AD FS from which to make access control decisions.

In a default configuration, AD FS 2.0 makes use of the local Active Directory as an authentication service. As administrators, we may also wish to further extend authentication options available to AD FS. A number of mechanisms are available, allowing us to hook into third-party authentication services.

via plug-ins/agents exposed through IIS, either on the AD FS Proxy/Farm to connect to other authentication providers;
customization/ coding sign-in pages to connect directly to authentication providers via web services or other custom methods;
through a federation trust to another provider, e.g. an IP-STS/IdP.

Option 1 is the traditional access management method, using non-federated agents/filters to wrap around IIS. This approach is often independent of AD FS. Option 2 involves customizing the logon process within AD FS, e.g. customizing forms-sign-in pages to hook into back-end web services APIs that the third-party authentication service may provide. Option 3 is the claims provider route using the federation trust model. PointSharp cater for all three solutions. However, I’ll concentrate on Option 3, using their Security Token service (STS) as a strong/two-factor authentication provider .

To highlight a working scenario, let’s set out some basic requirements:

External users, including corporate users, must connect through the third-party STS using various authentication types, according to the desired requirements:
- Two-factor authentication (hardware token, soft token or SMS)
- An alternate password credential store (non-AD)
- Credentials from the Corporate directory (e.g. AD)
Internal users, connected to the corporate LAN, should be able to connect to relying parties using their Windows logon credentials (Kerberos/NTLM).
Applications must support SAML or WS-Federation in an external facing scenario and IWA (Kerberos/NTLM) for internal users.
The solution should support claims-based access control to the federated web application according to the desired authentication method

The PointSharp Identity Federation component (STS) is a .NET / Windows Identity Federation (WIF) application. It services authentication requests by connecting to a core-access management application via web services.

In logon flow terms, an abridged view of the process is:

The external User connects to Relying Party Web Application
Browser redirect to AD FS Proxy. AD FS local authentication types are disabled. A claims provider is defined and the authentication request is passed to this.
Browser redirect to PointSharp Identity Federation STS. User logs on. Policy-based access control and claims processing is performed. SAML token is issued.
Browser redirect to AD FS (RP-STS). Perform claims processing on Claims Provider and Relying Party.
Browser redirect to Relying Party for authorization and access to application.

Users connect to the PointSharp Identity Federation claims provider (configured) via AD FS, to provide two-factor authentication for external access scenarios. In order to bypass the (in-built) AD claims provider for AD FS external access, whilst continuing to provide a Windows SSO experience to corporate users, we make a couple of configuration changes in AD FS proxy and farm nodes:

Disable all local authentication types on the AD FS Proxy to pass authentication requests to the PointSharp STS. This is done to bypass home realm discovery (HRD) mechanisms and remove the proxy as an authentication layer. We do this by removing the forms, basic and X509 authentication types within the web.config of the AD FS Proxy in the microsoft.identityServer.web section:

On the local AD FS farm we adjust settings to ensure that the default Active Directory claims provider, not the PointSharp claims provider, is used for authentication of users connecting via the internal/corporate network. We do so by customizing the homerealmdiscovery.aspx.cs on the AD FS farm to ensure that the AD claims provider is used for Windows logon. Refer to this blog article on how to accomplish this.

With the above changes, all logon requests via the AD FS proxy will now be handled by the PointSharp STS.

Before continuing further, let’s look at how the PointSharp Identity Federation component (STS) and the backend PointSharp authentication services work to support desired authentication types. To accomplish this, we’ll need to dig a little deeper into how identities are stored/used within the configuration.

Configuration Storage

As with the majority of Access Management (AM) solutions out there, it’s worthwhile pointing out the distinction between a store used for identity (read-only) lookup purposes, such as a user repository, versus the store the AM solution uses for holding (writing) configuration options concerning user/profile/preferences. Typically, configuration or data storage is represented in a single aggregate store where information about access identities is written. Conversely, user storage(s), may consist of multiple repositories, which we read user information from. PointSharp uses an LDAP store, e.g. AD LDS, AD or other LDAP v3 compliant servers for configuration/data storage. The store retains information concerning the users profile, the authentication methods used/supported, additional secrets etc. Sensitive information within the store is encrypted or (optionally) the entire storage container itself.

User Storage

In PointSharp lexicon, user storage is used to define an entry point within a repository for basing scoped searches/extractions from. We can then subsequently target items extracted for authentication/authorization processing. User storage may be one or many directories (AD/LDAP) or specific containers (organizational units) within one or many directories. Optionally, we may then target a desired authentication method against defined user storage types.

With a given user storage, via scoping options and the use of an LDAP filter , we define objects of “interest” in the storage and, at an attribute level, define various attributes, e.g. logon ID, to be used. This could be a security principal such as sAMAccountName, userPrincipalName or uid, subject to the object class. In the above screenshot, a User Storage called “inetOrgPerson” has been created, and within this store (AD), searches have been limited to include object classes of the inetOrgPerson type from given OUs. The (LDAP) search filter in the chosen user storage is:

(&({usernameAttribute}={username})(objectClass=inetOrgPerson)(objectCategory=person))

There’s some latitude here on what we may wish to include/exclude as objects of interest, for logon purposes, abstracted from the logon process normally associated to the native directory. For example, disabled accounts, which might sound bizarre, can also be exposed via user storage. Attributes such as UserAccountControl are available to expose/include in a scoped search within user storage, thereby allowing subsets of users for remote access, not normally available in a local authentication context to be used. We may wish to make these available purely for external access. In practical terms, imagine that we have a subset of users that we don’t want to be able to interactively logon to AD, from a domain-joined PC, yet should be able to logon externally (only) via our Identity Federation STS. Here’s an example of an LDAP scope that targets disabled users to be defined at a storage level.

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

User storages are processed iteratively. We can include a number of user storage types according to access needs and once we’ve defined them, identify the types of authentication we wish to use directly (via the storage) or indirectly through access policy.

Authentication Services

PointSharp, through back-end authentication services, provide authentication types available directly through listeners via web services or RADIUS, according to the access scenario. Since we’re dealing with identity federation here, this equates to web services. At this point, we can make available a given authentication type to be used in the identity federation process (e.g. SMS) or elect to use a more fine-grained policy-based authentication process. Smart Authentication (SmartAuth) refers to a policy-based / attribute-based access workflow executed during logon. Through these policies the authentication type to use for a connecting user is determined. This allows for more granular authentication flows to meet requirements. Moreover, this can also be further refined at the (front-end) Identity Federation component (STS) via claims-based access control.

Using the user storage concepts, let’s have a look at two identity federation scenarios. The first is a “basic” approach using the default Active Directory, available as a user store for moderating external access.

Basic Scenario (Single Storage)

In the above setup, we’re “scoping” our storage based around using various OU’s within AD. The first storage uses sAMAccountName for internal users using their Windows logon ID, the second uses userPrincipalName (UPN) for external users. In this example, sAMAccountName is analogous to EmployeeID and userPrincipalName to the emailaddress of the external user. Each respective set of identities live within their own OU’s within Active Directory.

Complex Scenario (Multiple Storage)

Similar to the basic setup, we’re also scoping our user storage at OUs within a given store. In this case we’re also adding additional repositories, such as a Partner/Affiliates store (e.g. Extranet), to pull in their identities for usage in logon scenarios ….

With the user storages defined, we then define individual authentication types within the back-end PointSharp authentication service and expose these as individual listeners, invoked directly by the caller. In our case, this is the PointSharp Identity Federatrion component calling a smart authentication rule. to adopt more fine grained authentication decisions at logon.

In the above policy, I’ve elected to use membership of a Windows group (in user stores) to target required authentication types. This involves static management of a group, so it may be less desirable than using something like a UPN or Email address, matched against a particular suffix to offer a more dynamic evaluation.

For example, a dynamic evaluation can be used, as in the above example, to attach an authentication method to users with an @auth360.net UPN suffix to use an OATH token. I’ll cover dynamic evaluation using directed authentication types and responses in a later post.

With PointSharp Identity Federation, we specify the use of a smart authentication rule as the authentication method

Users logging on from a relying party externally are redirected to the PointSharp STS. (Note: I’ve already setup the PointSharp STS up as a claims provider within AD FS).

Within the PointSharp authentication service, if you recall from the earlier MemberOf smart rule graphic, we’ve identified four authentication types: OATH, SMS, PointSharp Password and AD Password. OATH tokens are event or time-based OTP schemes using hardware, software and SMS-based logon mechanisms. Both support (optional) challenge/response password/OTP combinations from the user repositories and the login process adapts to this according to the rules defined with the PointSharp authentication service. In addition, the PointSharp Password is an alternate login credential that can be called upon and is used in cases where customers do not wish to employ two-factor authentication, nor expose the AD password to external access. Instead, they wish to use a separate password source, independent of AD, with separate password/lockout policies, that can be used to provide claims-based access via the PointSharp STS to their web applications. Should we also we wish to make AD password-access available as a possible authentication type, this is also included in the example. Remote lockout conventions can also be applied to AD users, independent of the AD password policy, to ensure that remote access lockout does not necessarily incur a AD password lockout, and to prevent Denial of Service (DoS) lockout on a given user.

Within the PointSharp authentication service admin UI, in a storage called AUTH360, four users have been created for testing:

oathman is a user using an OATH token (hardware token / soft token)
smsboy is a user using an SMS authentication method
psidgal is a user using a PointSharp password
adkid is a user using an AD password

From within PointSharp Identity Federation (STS ) we can define claims-based access rules to be passed onto AD FS. To accomplish this, we create custom claims rules on the STS that conform to the authentication type we desire. This is then injected in the SAML token and consumed as a claim by AD FS, as the RP-STS, for further processing, and passed on to the RP. For example, the four authentication types defined within the SmartAuth rule are now processed at the STS :

These are passed back via the custom claims definition:

http://schemas.auth360.net/ws/2008/06/identity/claims/access

On AD FS, we create a claims description that conforms to the above description

On the PointSharp Identity Federation claims provider, we pass the above claims as well as any additional claims that we also elect to emit. On the claims provider pipeline in AD FS, we configure Acceptance Transform rules to pass the Access Type claims and any other rules that the Claims Provider STS has made available:

On the relying party application we define our issuance transform rules.

I’m using SimpleSAMLphp, a SAML 2.0 Service Provider, as my Relying Party. AD FS, as a broker, provides the necessary bridging between the WS-Federation passive STS of PointSharp and, in this case our SAML 2.0 RP. In the “groups” claim we pass an inbound custom customs claims definition that transforms the authentication method http://schemas.auth360.net/ws/2008/06/identity/claims/access and emit this as a SAML attribute that SimpleSAMLphp can then consume:

c:[Type == http://schemas.auth360.net/ws/2008/06/identity/claims/access] => issue(Type = “groups”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

I’ve setup up a basic “Hello World” PHP application, which calls the SimpleSAMLphp libraries and then display the processed attributes in the web page. In our example, the access type (and authentication type) is expressed via the groups SAML assertion in array [0] –LOA4-AD. This is a user logging on who is a member of group LOA4-AD (using AD credentials).

Array
(
    [groups] => Array
        (
            [0] => LOA4-AD
            [1] => users
            [2] => members
        )

    [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn] => Array
        (
            [0] => adkid@auth360.net
        )

)

At the relying party, we’re now at liberty to make authorization decisions based on the incoming claim, according to the strength of the authentication type. I’m using SimpleSAMLphp here as an example, but the same conventions can be applied to other WIF-based RPs/STS such as SharePoint.

In a future post, I’ll look at more refined policy assessments using access based on dynamic evaluation and SAML authentication contexts such as SAML AuthNContextClassRef and WS-Fed AuthenticationMethod in RP/SP initiated-sign-on scenarios. Meanwhile, I hope you enjoyed the post.

O365 and TMG with Strong Authentication (Part I)

June 2, 2011AD FS 2.0, Claims-based Authentication, Forefront TMG, Office 365AD FS 2.0, Forefront TMG, Office 365, Strong Authenticationmylo

This post looks at how TMG 2010 may occupy a role of hybrid AD FS Proxy for Office 365.

In previous posts on this blog we looked at using TMG as an AD FS 2.0 proxy .. When testing this back in Q4 2010, there was some uncertainty when testing (at least on my part), as to whether TMG as an AD FS proxy replacement was actually a supported configuration. Happily, it looks like these questions have been answered. In TechEd in Atlanta, the Office 365 deck on Identity and Access Solutions (OSP215) describes TMG as an alternative proxy offering for Office 365.

Here TMG substitutes the role of the AD FS proxy for corporate users using identity federation, with it being responsible for authentication of browser traffic (passive clients) coming from the Internet and traffic from Microsoft (active/MEX clients). One of the things about TMG is its flexibility and versatility. This was borne out in testing and it’s possible to support multiple flavours of access through a single web listener. For example, let’s say we need to support strong authentication for external / Internet-based clients using OWA 365 and Sharepoint 365, whilst at the same time we support internal/external users with rich clients, using conventional username and passwords, running Outlook and Lync. Let’s list those again:

Single factor (username/password) authentication for rich/active clients inside/outside the corporate environment… covering ActiveSync access from the outside, Outlook 200x from the inside/outside and MEX clients, such as Lync 2010 inside/outside
Single-factor authentication (username/password) for passive clients inside the corporate environment (OWA/Sharepoint)
Two factor authentication (2FA) for passive clients outside the corporate boundary (OWA/Sharepoint)

Inside the organisation, passive clients make use of the local AD FS 2.0 instance (rather than TMG), whereas Rich/Active clients use a more complex process . In fact, the latter makes for an interesting challenge, for any would-be admin, as the Microsoft Federation Gateway needs to call-back to the on-premise AD FS instance. Normally speaking, active and rich clients must, therefore, go through the AD FS Proxy for logon. In this post, we substitute the AD FS Proxy role for TMG, so that we may leverage capability that TMG can offer (I’m using the example of strong authentication).

The key to making this approach work with TMG lies in creating multiple web publishing rules, each with their own authentication requirements, using a single web listener. In doing so, we:

Create a web publishing rule that allows direct communication to the AD FS back-end for active and rich clients (effectively anonymizing authentication on the listener for the published paths in question)
Create a web publishing rule that triggers authentication (two-factor) on the TMG front-end and then uses delegation to the AD FS back-end using Negotiate authentication.

We are then able to support access requirements for both two-factor (external) logon from the browser, whilst also supporting the ability of single factor logon for active/rich clients, domain-joined and non-domain joined……..

There are a couple of tweaks in the TMG configuration necessary to ensure compatibility with AD FS 2.0…..

Disable Verify Normalization on the HTTP Filtering tab of each publishing rule
Disable Block High-Bit Characters on the HTTP Filtering tab of each publishing rule
Disable Link Translation on each publishing rule

Also, please ensure that:

DNS records for the AD FS Proxy point to the TMG web listener
A SAN or wildcard certificate is installed on the TMG listener with the appropriate FQDNs for the AD FS Federation Service endpoint (hint: export the certificate plus private key from AD FS and import into TMG)
Kerberos Delegation is configured for the AD FS Farm Application Pool Account or ADFS Computer Account (if the AD FS server is a single machine)

We create two publishing rules with the public name matching that of our AD FS 2.0 server/farm, sts.mydomain.com. :

Rule	Authentication Delegation	Paths	Users
#1	Kerberos Constrained Delegation	/adfs/ls/*	All Authenticated Users
#2	No delegation, but client may authenticate directly	/adfs/services/trust/2005/usernamemixed//adfs/services/trust/mex/	All Users

Rule #1 applies for the passive clients doing two-factor authentication on the web listener
Rule #2 applies for the rich/MEX and Active client profiles for Lync and ActiveSync/Outlook respectively.

The more restrictive rule (two-factor) should be applied first in the firewall list. As a general rule of thumb, let the TMG Logs and Reports tracker, together with Fiddler, help debug any protocol issues that may arise.

Next stop ….. UAG !!!!

(FOOT) NOTES

According to official documentation, Office 365 strong authentication scenarios include:

Two-factor authentication at Windows/Domain Logon
Two-factor authentication via Forefront UAG 2010 SP1 for web applications
Two-factor authentication via customized AD FS Proxy sign-in pages

If you have a fully-fledged public key infrastructure with smart cards, then you’re probably wondering what the fuss is about 😉

Option 2 looks promising.. However, after testing it and then reading and then re-reading the Office documentation, it appears that the working two-factor scenarios are limited to passive clients only (OWA/Sharepoint) and that Outlook and ActiveSync (O365) are not supported via UAG. Because a UAG server doing 2FA is acting as non-federated trunk, rich/active clients get stumped during authentication. Now, this may be possible to get working with some tweaking but it looks like some sacrifices would be required (e.g. disabling access policies on the trunk). I’m hoping I’m missing something here and some bright spark will put me right, part the clouds and show how it can be done Smile

Option 3 is very much possible if you’re prepared to roll up your sleeves and do some sort of customization of the ADFS Proxy sign-in pages to support 2FA, with your strong authentication vendor of choice. I’d expect to see some sort of progress from MS on this, given that Office 365 launches this month.

Getting this working through TMG was really the motivation for me here. If, as a prospective Office 365 customer, you have a requirement for strong authentication for external users, whilst at the same time you need to support traditional username/password logon internally, then maybe this option can assist..… as ever, your mileage may vary and please don’t deploy before testing this to death in anything close to production!

The Access Onion

Access Management and Identity Federation on a plate.