troubleshooting federation, adfs, and more
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
Troubleshooting Federation, AD FS 2.0, and More…
John CraddockInfrastructure and security ArchitectXTSeminars Ltd
Agenda
Understand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common
issues Identify AD FS 2.0 troubleshooting tools and tips and
tricks
Key Concepts
Identity Provider (IP)
ActiveDirectory
Security Token Service (STS)
User / Subject /Principal
Requests token for AppX
Issues Security Tokencrafted for Appx
Relying party (RP)/Resource provider
Issuer IP-STS
Trusts the Security Tokenfrom the issuer
The Security TokenContains claims about the user
For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values
Security Token “Authenticates” user to the application
ST
Signed by issuer
AppX
Authenticates user
Process token
Home realm discovery
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
Working with PartnersYour
AD FS 2.0 STSYour
Claims-aware appActive
Directory
Partneruser
PartnerAD FS 2.0 STS & IP
Redirected to your STS
Authenticate
Send Token
Return cookiesand page
Browse app
Not authenticated
Redirect to your STS
ST
ST
ST
ST
App trusts STS Your STStrusts your
partner’s STS
Demo…Federation in action
X-path Query
Shown as the ActivityID:
Create an XPath form query
Use Find…
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the Middle
Fiddler can intercept HTTPS traffic Creates a certificate that represents the destination website
Browser will display certificate as invalid unless added to certificate store If you add it to the store make sure you remove it after testing
Browser WinINET Fiddler Webserver
Spoof certificate
Man-In-The-Middle Attack Prevention
Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS
server Configured through the Configuration Editor for the Default Website\adfs\ls or via
a script
appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost
First redirect to STS
Decoded redirect URL:https://adfs.example.com/adfs/ls/?wa=wsignin1.0&wtrealm=https://site1.example.com/Federation/&wctx=rm=0&id=passive&ru=%2fFederation%2f&wct=2011-04-15T15:12:28Z
AD FS logon endpoint
Action to perform
Security realm of RP
Consumed by RP passed through
unchanged by all actors
Time Stamp
%2f decodes to /
The SAML token is transported in a web page
The SAML data is always signed, it can be encrypted if required
Hidden form with POST methodPOST back URL defined via RP configuration in
ADFSSAML claims
SignatureX.509 Certificate of signing party (includes
public key)wctx=rm=0&id=passive&ru=%2fFederation%2f&
Unchanged since initial
requestSubmit button
Java Script to automatically POST page
SAMLToken
Begins / ends with
saml:Assertion
AD FS Cookies
After Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has
authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due
to configuration error Time-out default: 6 request for authentication to same RP within a short space of time
AD FS
Web App Cookies
Multiple FedAuth cookies Allows browser session to remain authenticated to web application
Application
Demo…Tracing with Fiddler
Processing claims in ADFS
Processing Claims Rules
Claims Pipeline
AD
Issuance Transform rules
Issuance Authorization
rulesPermit or Deny
RP
ST
Acceptance Transform rules
Relying Party Trusts
Claims Provider Trusts
Specify the users that are permitted to
access the relying party
Specify incoming claims that will be accepted from the
claims provider and passed to the pipeline
Permit: specifies claims that will be sent to the relying party
Deny: Not processed
Claims Provider Trusts
Processing Rules
Subsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream
Replace the “issue” statement with “add”
Rule 1Take from input Execute Rule
Result
Input claims stream Output claims stream
Rule 2Take from input Execute Rule
Result
Rule 3Take from input Execute Rule
Result
Using attribute stores
Rule 1Take from input Execute Rule
Result
Input claims stream Output claims stream
Rule extracts values from other attribute stores based on input value(s)
SQL LDAPAD
Custom attributes stores
Forefront Identity Manager
Automaticallyadded
Viewing the claims pipeline
AD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewed
Step1 (on AD FS 2.0 server): Via Group or Local Policy
Security Settings\Local Policies\User Rights Management Add the ADFS service account to the “Generate security audits properties”
Step 2 (on AD FS 2.0 server): Run
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security Audits
Step3 (on AD FS 2.0 server):
Security Audits Event IDs
IssuanceAuthorization Rules
Claimsprovider
AcceptanceTransform Rules
input
IssuanceTransform Rules
output
input
input
ADFSLogon
Event ID 4624
Event ID 501
Event ID 324
Deny
Event ID 500
Permitprocess
Issuance Rules
Event ID 299
Event ID 299
Event ID 500
Issued claims after processing rules
Token issued to AD FS
AD user and group SIDs
Token issued to relying party
ST
Demo…Auditing
AD FS 2.0 Performance Counters
AD FS 2.0 performance counters \AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance
bugs
WCF performance counter \ServiceModelEndpoint 3.0.0.0(*)\* \ServiceModelOperation 3.0.0.0(*)\* \ServiceModelService 3.0.0.0(*)\*
Other performance counters \Memory\*, \Processor(*)\*, \Paging File(_Total)\* \Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\* \APP_POOL_WAS(ADFSAppPool)\* \ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\* \Web Service(Default Web Site)\* \.NET CLR Networking(*)\* \Network Interface(*)\* \TCPv4\*, \TCPv6\*
Resources
AD FS 2.0 update rollup 2AD FS 2.0 troubleshooting guideAD FS 2.0 SDK (updated in 2012!)AD FS 2.0 content map
Summary
Troubleshooting federation can be trickyKey helpers Event logs – match correlationIDs
Trace logs for developers Performance counters Capture tools Security auditing
While systems are working run captures and become familiar with the normal operationsEnd an argument with Windows Azure Access Control Service (ACS)
TechEd 2013
I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
Consulting services on request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
John Craddoc
kInfrastructure and security ArchitectXTSeminars Ltd