Troubleshooting Federation, AD FS 2.0, and More… 4/22/2017 12:40 AM Troubleshooting Federation, AD FS 2.0, and More… John Craddock, Federation and Security Architect, XTSeminars © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Understand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshooting tools and tips and tricks
Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory Issues Security Token crafted for Appx ST The Security Token Contains claims about the user For example: Name Group membership User Principal Name (UPN) Email address of user Email address of manager Phone number Other attribute values Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer Signed by issuer
Working with Partners App trusts STS Your STS AD FS 2.0 STS Partner AD FS 2.0 STS & IP Active Directory Your Claims-aware app App trusts STS Your STS trusts your partner’s STS Browse app Partner user Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate ST Return ST for consumption by your STS ST Redirected to your STS Return new ST ST Process token ST Send Token Return cookies and page
demo Federation in action 4/22/2017 12:40 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the Middle Browser WinINET Fiddler Webserver Spoof certificate Fiddler can intercept HTTPS traffic Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store If you add it to the store make sure you remove it after testing
Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS server Configured through the Configuration Editor for the Default Website\adfs\ls or via a script
Consumed by RP passed through unchanged by all actors First redirect to STS AD FS logon endpoint Action to perform Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z %2f decodes to / Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp
The SAML token is transported in a web page Begins / ends with saml:Assertion Hidden form with POST method POST back URL defined via RP configuration in ADFS SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request wctx=rm=0&id=passive&ru=%2fFederation%2f& Submit button Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
AD FS Cookies After Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error Time-out default: 6 request for authentication to same RP within a short space of time
Web App Cookies Multiple FedAuth cookies Application Multiple FedAuth cookies Allows browser session to remain authenticated to web application
demo Tracing with Fiddler 4/22/2017 12:40 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Managing certificates that establish trust
Communications and trust STS Sign with STS token signing certificate private key Encrypt with RP encryption certificate public key ST User RP Validate with STS token signing certificate public key Decrypt with RP encryption certificate private key User trusts website and STS via SSL certificates Certificate path validated and CRL checked
Certificate Issues Archived certificate become unusable (fixed!) Support for 3rd party CSP (fixed!) V3 certificates do not work for token-signing and token-decryption certificates Run “certutil –viewstore –v My > cert.txt” and look for Keyspec Keyspec=0 if the certificate is a version 3 template Same signature verification certificate cannot be used across multiple RPs
Processing claims in ADFS
Processing Claims Rules Specify the users that are permitted to access the relying party Claims Provider Trusts Claims Pipeline AD Acceptance Transform rules Issuance Authorization rules ST Permit or Deny Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Issuance Transform rules Permit: specifies claims that will be sent to the relying party Deny: Not processed RP Relying Party Trusts Claims Provider Trusts
Processing Rules Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule 2 Take from input Result Execute Rule Rule 3 Take from input Result Execute Rule Subsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream Replace the “issue” statement with “add”
Using attribute stores Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule extracts values from other attribute stores based on input value(s) Custom attributes stores Forefront Identity Manager AD SQL LDAP Automatically added
Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewed Step1 (on AD FS 2.0 server): Via Group or Local Policy Security Settings\Local Policies\User Rights Management Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server): Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
Security Audits Event IDs ADFS Logon Event ID 4624 Claims provider Event ID 324 Deny input input Issuance Authorization Rules Acceptance Transform Rules Event ID 299 Permit process Issuance Rules Event ID 500 Event ID 501 output ST input Issuance Transform Rules Token issued to AD FS Event ID 299 Token issued to relying party Event ID 500 AD user and group SIDs Issued claims after processing rules
demo Auditing Name Title Group 4/22/2017 12:40 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
AD FS 2.0 Performance Counters \AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter \ServiceModelEndpoint 3.0.0.0(*)\* \ServiceModelOperation 3.0.0.0(*)\* \ServiceModelService 3.0.0.0(*)\* Other performance counters \Memory\*, \Processor(*)\*, \Paging File(_Total)\* \Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\* \APP_POOL_WAS(ADFSAppPool)\* \ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\* \Web Service(Default Web Site)\* \.NET CLR Networking(*)\* \Network Interface(*)\* \TCPv4\*, \TCPv6\*
Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
Summary Troubleshooting federation can be tricky Key helpers Event logs – match correlationIDs Trace logs for developers Performance counters Capture tools Security auditing While systems are working run captures and become familiar with the normal operations End an argument with ACS
Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk John Craddock Infrastructure and security Architect XTSeminars Ltd
Resources Learning TechNet http://europe.msteched.com Connect. Share. Discuss. http://europe.msteched.com Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn
Submit your evals online 4/22/2017 12:40 AM Evaluations Submit your evals online http://europe.msteched.com/sessions © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/22/2017 12:40 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/22/2017 12:40 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.