0
AgendaUnderstand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshoo...
Key Concepts                                                                      Issuer IP-STS                           ...
Working with Partners             Your                             Your                         Partner                   ...
X-path Query                                                        Use Find…Shown as the ActivityID:                     ...
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the MiddleFiddler can intercept HTTPS traffic Creates a certificate that represents the destination w...
Man-In-The-Middle Attack Prevention                                                       appcmd.exe set config "Default W...
First redirect to STS                  Decoded redirect URL:                 %2f decodes to /                  https://adf...
The SAML token is transported in aweb page                            Hidden form with POST methodBegins / ends     with  ...
AD FS CookiesAfter Authentication with AD FS       MSISSelectionPersistent: identifies authenticating IP-STS       MSISA...
Web App CookiesMultiple FedAuth cookies Allows browser session to remain authenticated to web application
Processing claims in ADFS
Processing Claims Rules                                                                                     Specify the us...
Processing Rules       Input claims stream                                 Output claims streamSubsequent rules can proces...
Using attribute stores    Input claims stream                Output claims stream              AD          SQL   LDAP     ...
Viewing the claims pipelineAD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Audi...
AD FS 2.0 Security AuditsStep3 (on AD FS 2.0 server):
Security Audits Event IDs                                                       Logon                                     ...
AD FS 2.0 Performance CountersAD FS 2.0 performance counters   AD FS 2.0* (ex. token requests/sec, federation metadata re...
ResourcesAD FS 2.0 update rollup 2AD FS 2.0 troubleshooting guideAD FS 2.0 SDK (updated in 2012!)AD FS 2.0 content map
SummaryTroubleshooting federation can be trickyKey helpers Event logs – match correlationIDs    Trace logs for developer...
TechEd 2013I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
Consulting services on request                         John.craddock@xtseminars.co.uk                John has designed and...
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More
Upcoming SlideShare
Loading in...5
×

Troubleshooting Federation, ADFS, and More

4,958

Published on

More info on http://techdays.be.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,958
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
159
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Troubleshooting Federation, ADFS, and More "

  1. 1. AgendaUnderstand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshooting tools and tips and tricks
  2. 2. Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS)User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for AppxFor example:• Name• Group membership Security Token “Authenticates”• User Principal Name (UPN) user to the application• Email address of user• Email address of manager AppX• Phone number Relying party (RP)/• Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
  3. 3. Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STSPartner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
  4. 4. X-path Query Use Find…Shown as the ActivityID: Create an XPath form query
  5. 5. Seeing it All – Fiddler is a great tool
  6. 6. Fiddler as a Man in the MiddleFiddler can intercept HTTPS traffic Creates a certificate that represents the destination websiteBrowser will display certificate as invalid unless added to certificatestore If you add it to the store make sure you remove it after testing
  7. 7. Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphostDepending on the client and server versions, Channel Binding Token(CBT) will be enforced to prevent Man-in-the-middle attacks andauthentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
  8. 8. First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
  9. 9. The SAML token is transported in aweb page Hidden form with POST methodBegins / ends with POST back URL defined via RP configuration in ADFSsaml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
  10. 10. AD FS CookiesAfter Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
  11. 11. Web App CookiesMultiple FedAuth cookies Allows browser session to remain authenticated to web application
  12. 12. Processing claims in ADFS
  13. 13. Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i STSpecify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i pPermit: specifies claims that will be RP esent to the relying party Relying Party Trusts lDeny: Not processed i Claims Provider Trusts n e
  14. 14. Processing Rules Input claims stream Output claims streamSubsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
  15. 15. Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
  16. 16. Viewing the claims pipelineAD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewedStep1 (on AD FS 2.0 server): Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties”Step 2 (on AD FS 2.0 server): Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  17. 17. AD FS 2.0 Security AuditsStep3 (on AD FS 2.0 server):
  18. 18. Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
  19. 19. AD FS 2.0 Performance CountersAD FS 2.0 performance counters AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugsWCF performance counter ServiceModelEndpoint 3.0.0.0(*)* ServiceModelOperation 3.0.0.0(*)* ServiceModelService 3.0.0.0(*)*Other performance counters Memory*, Processor(*)*, Paging File(_Total)* Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)* APP_POOL_WAS(ADFSAppPool)* ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)* Web Service(Default Web Site)* .NET CLR Networking(*)* Network Interface(*)* TCPv4*, TCPv6*
  20. 20. ResourcesAD FS 2.0 update rollup 2AD FS 2.0 troubleshooting guideAD FS 2.0 SDK (updated in 2012!)AD FS 2.0 content map
  21. 21. SummaryTroubleshooting federation can be trickyKey helpers Event logs – match correlationIDs  Trace logs for developers Performance counters Capture tools Security auditingWhile systems are working run captures and become familiar with thenormal operationsEnd an argument with Windows Azure Access Control Service (ACS)
  22. 22. TechEd 2013I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
  23. 23. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×