troubleshooting federation, ad fs 2.0, and more… john craddock, federation and security architect,...
TRANSCRIPT
Troubleshooting Federation, AD FS 2.0, and More…John Craddock, Federation and Security Architect, XTSeminars
Lu Zhao, Program Manager, Microsoft
Agenda
Understand AD FS 2.0 key conceptsUnderstand AD FS 2.0 challenges and common issuesIdentify AD FS 2.0 troubleshooting tools and tips and tricks
Key Concepts Identity Provider (IP)
ActiveDirectory
Security Token Service (STS)
User / Subject /Principal Requests token for AppX
Issues Security Tokencrafted for Appx
Relying party (RP)/Resource provider
Issuer IP-STS
Trusts the Security Tokenfrom the issuer
The Security TokenContains claims about the user
For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values
Security Token “Authenticates” user to the application
ST
Signed by issuer
AppX
Authenticates user
Process token
Home realm discovery
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
Working with PartnersYour
AD FS 2.0 STSYour
Claims-aware app
ActiveDirectory
Partneruser
PartnerAD FS 2.0 STS & IP
Redirected to your STS
Authenticate
Send Token
Return cookiesand page
Browse app
Not authenticated
Redirect to your STS
ST
ST
ST
ST
App trusts STS Your STStrusts your
partner’s STS
demo
Federation in action
X-path Query
Shown as the ActivityID:
Create an XPath form query
Use Find…
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the Middle
Fiddler can intercept HTTPS trafficCreates a certificate that represents the destination website
Browser will display certificate as invalid unless added to certificate store
If you add it to the store make sure you remove it after testing
Browser WinINET Fiddler Webserver
Spoof certificate
Man-In-The-Middle Attack Prevention
Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail
For Fiddler SSL interception temporarily disable CBT on the AD FS server
Configured through the Configuration Editor for the Default Website\adfs\ls or via a script
appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost
First redirect to STS
Decoded redirect URL:https://adfs.example.com/adfs/ls/?wa=wsignin1.0&wtrealm=https://site1.example.com/Federation/&wctx=rm=0&id=passive&ru=%2fFederation%2f&wct=2011-04-15T15:12:28Z
AD FS logon endpoint
Action to perform
Security realm of RP
Consumed by RP passed through
unchanged by all actors
Time Stamp
%2f decodes to /
The SAML token is transported in a web page
The SAML data is always signed, it can be encrypted if required
Hidden form with POST methodPOST back URL defined via RP configuration in
ADFSSAML claims
SignatureX.509 Certificate of signing party (includes
public key)wctx=rm=0&id=passive&ru=%2fFederation%2f&
Unchanged since initial
requestSubmit button
Java Script to automatically POST page
SAMLToken
Begins / ends with
saml:Assertion
AD FS Cookies
After Authentication with AD FSMSISSelectionPersistent: identifies authenticating IP-STSMSISAuth…: authenticated session cookiesMSISSignOut: Keeps track of all RPs to which the session has authenticatedMSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error
Time-out default: 6 request for authentication to same RP within a short space of time
AD FS
Web App Cookies
Multiple FedAuth cookiesAllows browser session to remain authenticated to web application
Application
demo
Tracing with Fiddler
Managing certificates that establish trust
Communications and trust
User
User trusts website and STS via SSL
certificatesCertificate path
validated and CRL checked
ST
Sign with STStoken signing
certificate private key
Validate with STStoken signing
certificate public key
Encrypt with RPencryption certificate
public key
Decrypt with RPencryption certificate
private key
STS
RP
Certificate Issues
Archived certificate become unusable (fixed!)Support for 3rd party CSP (fixed!)V3 certificates do not work for token-signing and token-decryption certificates
Run “certutil –viewstore –v My > cert.txt” and look for Keyspec
Keyspec=0 if the certificate is a version 3 templateSame signature verification certificate cannot be used across multiple RPs
Processing claims in ADFS
Processing Claims Rules
Claims Pipeline
AD
Issuance Transform rules
Issuance Authorization
rulesPermit or Deny
RP
ST
Acceptance Transform rules
Relying Party Trusts
Claims Provider Trusts
Specify the users that are permitted to
access the relying party
Specify incoming claims that will be accepted from
the claims provider and passed to the pipeline
Permit: specifies claims that will be sent to the relying party
Deny: Not processed
Claims Provider Trusts
Processing Rules
Subsequent rules can process the results of previous rules
A custom rule can be created to only add the results to the input stream
Replace the “issue” statement with “add”
Rule 1Take from input Execute Rule
Result
Input claims stream Output claims stream
Rule 2Take from input Execute Rule
Result
Rule 3Take from input Execute Rule
Result
Using attribute stores
Rule 1Take from input Execute Rule
Result
Input claims stream Output claims stream
Rule extracts values from other attribute stores based on input value(s)
SQL LDAPAD
Custom attributes stores
Forefront Identity Manager
Automaticallyadded
Viewing the claims pipelineAD FS 2.0 can be configured to log events into the security log
Source shown as AD FS 2.0 AuditingEnables issued claims to be viewed
Step1 (on AD FS 2.0 server): Via Group or Local Policy
Security Settings\Local Policies\User Rights Management Add the ADFS service account to the “Generate security audits properties”
Step 2 (on AD FS 2.0 server):Runauditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security Audits
Step3 (on AD FS 2.0 server):
Security Audits Event IDs
IssuanceAuthorization Rules
Claimsprovider
AcceptanceTransform Rules
input
IssuanceTransform Rules
output
input
input
ADFSLogonEvent
ID 4624
Event ID 501
Event ID 324
Deny
Event ID 500
Permitprocess
Issuance Rules
Event ID 299
Event ID 299
Event ID 500
Issued claims after processing rules
Token issued to AD FS
AD user and group SIDs
Token issued to relying party
ST
demo
NameTitleGroup
Auditing
AD FS 2.0 performance counters\AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec)AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs
WCF performance counter\ServiceModelEndpoint 3.0.0.0(*)\*\ServiceModelOperation 3.0.0.0(*)\*\ServiceModelService 3.0.0.0(*)\*
Other performance counters\Memory\*, \Processor(*)\*, \Paging File(_Total)\*\Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\*\APP_POOL_WAS(ADFSAppPool)\*\ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\*\Web Service(Default Web Site)\*\.NET CLR Networking(*)\*\Network Interface(*)\*\TCPv4\*, \TCPv6\*
AD FS 2.0 Performance Counters
Resources
AD FS 2.0 update rollup 2AD FS 2.0 troubleshooting guideAD FS 2.0 SDK (updated in 2012!)AD FS 2.0 content map
Summary
Troubleshooting federation can be trickyKey helpers
Event logs – match correlationIDsTrace logs for developers
Performance countersCapture toolsSecurity auditing
While systems are working run captures and become familiar with the normal operationsEnd an argument with ACS
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
Required Slide *delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.