Troubleshooting Federation AD FS 2 0 and More
Troubleshooting Federation, AD FS 2. 0, and More… John Craddock, Federation and Security Architect, XTSeminars Lu Zhao, Program Manager, Microsoft
Authenticates user Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for App. X User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application App. X Relying party (RP)/ Resource provider Trusts the Security Token from the issuer
Your AD FS 2. 0 STS Your Claims-aware app Partner user App trusts STS Browse app Partner AD FS 2. 0 STS & IP Active Directory Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS ST ST ST Redirected to your STS Return new ST Send Token Return cookies and page Process token ST Authenticate
demo Federation in action
Browser Win. INET Fiddler Spoof certificate Webserver
appcmd. exe set config "Default Web Site/ADFS/ls" section: system. web. Server/security/au thentication/windows. Authentication /extended. Protection. token. Checking: "N one" /extended. Protection. flags: "Proxy" /commit: apphost temporarily
AD FS logon endpoint Action to perform Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp %2 f decodes to / Decoded redirect URL: https: //adfs. example. com/adfs/ls/? wa=wsignin 1. 0& wtrealm=https: //site 1. example. com/Federation/& wctx=rm=0&id=passive&ru=%2 f. Federation%2 f& wct=2011 -04 -15 T 15: 12: 28 Z
Begins / ends with saml: Assertion Hidden form with POST method POST back URL defined via RP configuration in ADFS SAML claims Signature X. 509 Certificate of signing party (includes public key) Unchanged since initial request
AD FS
Application
demo Tracing with Fiddler
STS Sign with STS token signing certificate private key Encrypt with RP encryption certificate public key ST User trusts website and STS via SSL certificates Certificate path validated and CRL checked RP Validate with STS token signing certificate public key Decrypt with RP encryption certificate private key
Run “certutil –viewstore –v My > cert. txt” and look for Keyspec=0 if the certificate is a version 3 template
Claims Provider Trusts AD Acceptance Transform rules Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Permit: specifies claims that will be sent to the relying party Deny: Not processed C l a i m s P i p e l i n e Specify the users that are permitted to access the relying party Issuance Authorization rules ST Issuance Transform rules Relying Party Trusts Claims Provider Trusts
Take from input Rule 1 Execute Rule 2 Execute Rule 3 Execute Rule Result
Take from input Rule 1 Execute Rule Result Rule extracts values from other attribute stores based on input value(s) Forefront Identity Manager
Step 3 (on AD FS 2. 0 server):
ADFS Logon Event ID 4624 Event ID 324 Deny Issuance Authorization Rules input ST Event ID 299 Event ID 500 Issuance Transform Rules Acceptance Transform Rules Event ID 500 Permit process Issuance Rules output Claims provider Issued claims after processing rules Event ID 299 Event ID 501 input Token issued to relying party input Token issued to AD FS AD user and group SIDs
demo Auditing Name Title Group
AD FS 2. 0 update rollup 2 AD FS 2. 0 troubleshooting guide AD FS 2. 0 SDK AD FS 2. 0 content map
Complete an evaluation on Comm. Net and enter to win!
Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Scan the Tag to evaluate this session now on my. Tech. Ed Mobile
- Slides: 32