Transcript of "Troubleshooting Federation, ADFS, and More "
AgendaUnderstand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshooting tools and tips and tricks
Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS)User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for AppxFor example:• Name• Group membership Security Token “Authenticates”• User Principal Name (UPN) user to the application• Email address of user• Email address of manager AppX• Phone number Relying party (RP)/• Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STSPartner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
X-path Query Use Find…Shown as the ActivityID: Create an XPath form query
Fiddler as a Man in the MiddleFiddler can intercept HTTPS traffic Creates a certificate that represents the destination websiteBrowser will display certificate as invalid unless added to certificatestore If you add it to the store make sure you remove it after testing
Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphostDepending on the client and server versions, Channel Binding Token(CBT) will be enforced to prevent Man-in-the-middle attacks andauthentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS server Configured through the Configuration Editor for the Default Websiteadfsls or via a script
First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
The SAML token is transported in aweb page Hidden form with POST methodBegins / ends with POST back URL defined via RP configuration in ADFSsaml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
AD FS CookiesAfter Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error Time-out default: 6 request for authentication to same RP within a short space of time
Web App CookiesMultiple FedAuth cookies Allows browser session to remain authenticated to web application
Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i STSpecify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i pPermit: specifies claims that will be RP esent to the relying party Relying Party Trusts lDeny: Not processed i Claims Provider Trusts n e
Processing Rules Input claims stream Output claims streamSubsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream Replace the “issue” statement with “add”
Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
Viewing the claims pipelineAD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewedStep1 (on AD FS 2.0 server): Via Group or Local Policy Security SettingsLocal PoliciesUser Rights Management Add the ADFS service account to the “Generate security audits properties”Step 2 (on AD FS 2.0 server): Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security AuditsStep3 (on AD FS 2.0 server):
Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
AD FS 2.0 Performance CountersAD FS 2.0 performance counters AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugsWCF performance counter ServiceModelEndpoint 18.104.22.168(*)* ServiceModelOperation 22.214.171.124(*)* ServiceModelService 126.96.36.199(*)*Other performance counters Memory*, Processor(*)*, Paging File(_Total)* Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)* APP_POOL_WAS(ADFSAppPool)* ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)* Web Service(Default Web Site)* .NET CLR Networking(*)* Network Interface(*)* TCPv4*, TCPv6*
SummaryTroubleshooting federation can be trickyKey helpers Event logs – match correlationIDs Trace logs for developers Performance counters Capture tools Security auditingWhile systems are working run captures and become familiar with thenormal operationsEnd an argument with Windows Azure Access Control Service (ACS)
TechEd 2013I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
Consulting services on request John.firstname.lastname@example.org John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.