SlideShare a Scribd company logo

Troubleshooting Federation, ADFS, and More

Download as PPTX, PDF
Microsoft TechNet - Belgium and Luxembourg
Microsoft TechNet - Belgium and Luxembourg

More info on http://techdays.be.

Technology
1 of 27
Agenda Understand AD FS 2.0 key concepts  Understand AD FS 2.0 challenges and common issues  Identify AD FS 2.0 troubleshooting tools and tips and tricks
Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for Appx For example: • Name • Group membership Security Token “Authenticates” • User Principal Name (UPN) user to the application • Email address of user • Email address of manager AppX • Phone number Relying party (RP)/ • Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STS Partner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the Middle Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail  For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
The SAML token is transported in a web page Hidden form with POST method Begins / ends with POST back URL defined via RP configuration in ADFS saml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
AD FS Cookies After Authentication with AD FS  MSISSelectionPersistent: identifies authenticating IP-STS  MSISAuth…: authenticated session cookies  MSISSignOut: Keeps track of all RPs to which the session has authenticated  MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
Web App Cookies Multiple FedAuth cookies  Allows browser session to remain authenticated to web application
Processing claims in ADFS
Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i ST Specify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i p Permit: specifies claims that will be RP e sent to the relying party Relying Party Trusts l Deny: Not processed i Claims Provider Trusts n e
Processing Rules Input claims stream Output claims stream Subsequent rules can process the results of previous rules  A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log  Source shown as AD FS 2.0 Auditing  Enables issued claims to be viewed Step1 (on AD FS 2.0 server):  Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server):  Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
AD FS 2.0 Performance Counters AD FS 2.0 performance counters  AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)  AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter  ServiceModelEndpoint 3.0.0.0(*)*  ServiceModelOperation 3.0.0.0(*)*  ServiceModelService 3.0.0.0(*)* Other performance counters  Memory*, Processor(*)*, Paging File(_Total)*  Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*  APP_POOL_WAS(ADFSAppPool)*  ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*  Web Service(Default Web Site)*  .NET CLR Networking(*)*  Network Interface(*)*  TCPv4*, TCPv6*
Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
Summary Troubleshooting federation can be tricky Key helpers  Event logs – match correlationIDs  Trace logs for developers  Performance counters  Capture tools  Security auditing While systems are working run captures and become familiar with the normal operations End an argument with Windows Azure Access Control Service (ACS)
TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

Recommended

Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてShinya Yamaguchi
 
AWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAmazon Web Services Japan
 
株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...
株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...
株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...Google Cloud Platform - Japan
 
基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャスト基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャストNoritaka Sekiyama
 
Cognito、Azure ADと仲良くしてみた
Cognito、Azure ADと仲良くしてみたCognito、Azure ADと仲良くしてみた
Cognito、Azure ADと仲良くしてみたTakafumi Kondo
 
AWS初心者向けWebinar AWSからのEメール送信
AWS初心者向けWebinar AWSからのEメール送信AWS初心者向けWebinar AWSからのEメール送信
AWS初心者向けWebinar AWSからのEメール送信Amazon Web Services Japan
 
202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)
202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)
202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)Amazon Web Services Japan
 
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてShinya Yamaguchi
 

Recommended

Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてShinya Yamaguchi
 
AWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAmazon Web Services Japan
 
株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...
株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...
株式会社コロプラ『GKE と Cloud Spanner が躍動するドラゴンクエストウォーク』第 9 回 Google Cloud INSIDE Game...Google Cloud Platform - Japan
 
基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャスト基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャストNoritaka Sekiyama
 
Cognito、Azure ADと仲良くしてみた
Cognito、Azure ADと仲良くしてみたCognito、Azure ADと仲良くしてみた
Cognito、Azure ADと仲良くしてみたTakafumi Kondo
 
AWS初心者向けWebinar AWSからのEメール送信
AWS初心者向けWebinar AWSからのEメール送信AWS初心者向けWebinar AWSからのEメール送信
AWS初心者向けWebinar AWSからのEメール送信Amazon Web Services Japan
 
202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)
202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)
202205 AWS Black Belt Online Seminar Amazon VPC IP Address Manager (IPAM)Amazon Web Services Japan
 
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてShinya Yamaguchi
 
Amazon DynamoDBの紹介と東急ハンズでの活用について
Amazon DynamoDBの紹介と東急ハンズでの活用についてAmazon DynamoDBの紹介と東急ハンズでの活用について
Amazon DynamoDBの紹介と東急ハンズでの活用についてTaiji INOUE
 
侵入防御の誤検知を減らすためのDeepSecurity運用
侵入防御の誤検知を減らすためのDeepSecurity運用侵入防御の誤検知を減らすためのDeepSecurity運用
侵入防御の誤検知を減らすためのDeepSecurity運用morisshi
 
20190514 AWS Black Belt Online Seminar Amazon API Gateway
20190514 AWS Black Belt Online Seminar Amazon API Gateway 20190514 AWS Black Belt Online Seminar Amazon API Gateway
20190514 AWS Black Belt Online Seminar Amazon API Gateway Amazon Web Services Japan
 
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~ShuheiUda
 
Keycloakの動向
Keycloakの動向Keycloakの動向
Keycloakの動向Yuichi Nakamura
 
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etcAzure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etcYoichi Kawasaki
 
OpenID ConnectとSCIMの標準化動向
OpenID ConnectとSCIMの標準化動向OpenID ConnectとSCIMの標準化動向
OpenID ConnectとSCIMの標準化動向Tatsuo Kudo
 
ソーシャルゲームのためのデータベース設計
ソーシャルゲームのためのデータベース設計ソーシャルゲームのためのデータベース設計
ソーシャルゲームのためのデータベース設計Yoshinori Matsunobu
 
AWS CLIでAssumeRole
AWS CLIでAssumeRoleAWS CLIでAssumeRole
AWS CLIでAssumeRoleTetsunori Nishizawa
 
AWS Black Belt Online Seminar - Amazon Lightsail
AWS Black Belt Online Seminar - Amazon Lightsail AWS Black Belt Online Seminar - Amazon Lightsail
AWS Black Belt Online Seminar - Amazon Lightsail Amazon Web Services Japan
 
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0Tomohisa Koyanagi
 
Istioサービスメッシュ入門
Istioサービスメッシュ入門Istioサービスメッシュ入門
Istioサービスメッシュ入門Yoichi Kawasaki
 
AWSからのメール送信
AWSからのメール送信AWSからのメール送信
AWSからのメール送信Amazon Web Services Japan
 
AWS Black Belt Techシリーズ Amazon EMR
AWS Black Belt Techシリーズ Amazon EMRAWS Black Belt Techシリーズ Amazon EMR
AWS Black Belt Techシリーズ Amazon EMRAmazon Web Services Japan
 
Fluentdで本番環境を再現
Fluentdで本番環境を再現Fluentdで本番環境を再現
Fluentdで本番環境を再現Hiroshi Toyama
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMWSO2
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon MacieAmazon Web Services Japan
 
Amazon GameLift FlexMatch
Amazon GameLift FlexMatchAmazon GameLift FlexMatch
Amazon GameLift FlexMatchAmazon Web Services Japan
 
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018Amazon Web Services Korea
 
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携kumo2010
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 

More Related Content

What's hot

Amazon DynamoDBの紹介と東急ハンズでの活用について
Amazon DynamoDBの紹介と東急ハンズでの活用についてAmazon DynamoDBの紹介と東急ハンズでの活用について
Amazon DynamoDBの紹介と東急ハンズでの活用についてTaiji INOUE
 
侵入防御の誤検知を減らすためのDeepSecurity運用
侵入防御の誤検知を減らすためのDeepSecurity運用侵入防御の誤検知を減らすためのDeepSecurity運用
侵入防御の誤検知を減らすためのDeepSecurity運用morisshi
 
20190514 AWS Black Belt Online Seminar Amazon API Gateway
20190514 AWS Black Belt Online Seminar Amazon API Gateway 20190514 AWS Black Belt Online Seminar Amazon API Gateway
20190514 AWS Black Belt Online Seminar Amazon API Gateway Amazon Web Services Japan
 
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~ShuheiUda
 
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etcAzure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etcYoichi Kawasaki
 
OpenID ConnectとSCIMの標準化動向
OpenID ConnectとSCIMの標準化動向OpenID ConnectとSCIMの標準化動向
OpenID ConnectとSCIMの標準化動向Tatsuo Kudo
 
ソーシャルゲームのためのデータベース設計
ソーシャルゲームのためのデータベース設計ソーシャルゲームのためのデータベース設計
ソーシャルゲームのためのデータベース設計Yoshinori Matsunobu
 
AWS Black Belt Online Seminar - Amazon Lightsail
AWS Black Belt Online Seminar - Amazon Lightsail AWS Black Belt Online Seminar - Amazon Lightsail
AWS Black Belt Online Seminar - Amazon Lightsail Amazon Web Services Japan
 
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0Tomohisa Koyanagi
 
Istioサービスメッシュ入門
Istioサービスメッシュ入門Istioサービスメッシュ入門
Istioサービスメッシュ入門Yoichi Kawasaki
 
Fluentdで本番環境を再現
Fluentdで本番環境を再現Fluentdで本番環境を再現
Fluentdで本番環境を再現Hiroshi Toyama
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMWSO2
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon MacieAmazon Web Services Japan
 
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018Amazon Web Services Korea
 

What's hot (20)

Amazon DynamoDBの紹介と東急ハンズでの活用について
Amazon DynamoDBの紹介と東急ハンズでの活用についてAmazon DynamoDBの紹介と東急ハンズでの活用について
Amazon DynamoDBの紹介と東急ハンズでの活用について
 
侵入防御の誤検知を減らすためのDeepSecurity運用
侵入防御の誤検知を減らすためのDeepSecurity運用侵入防御の誤検知を減らすためのDeepSecurity運用
侵入防御の誤検知を減らすためのDeepSecurity運用
 
20190514 AWS Black Belt Online Seminar Amazon API Gateway
20190514 AWS Black Belt Online Seminar Amazon API Gateway 20190514 AWS Black Belt Online Seminar Amazon API Gateway
20190514 AWS Black Belt Online Seminar Amazon API Gateway
 
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
Azure サポート エンジニア直伝 ~ PowerShell 実践活用術 ~
 
Keycloakの動向
Keycloakの動向Keycloakの動向
Keycloakの動向
 
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etcAzure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
Azure Search 言語処理関連機能 〜 アナライザー、検索クエリー、辞書、& ランキング, etc
 
OpenID ConnectとSCIMの標準化動向
OpenID ConnectとSCIMの標準化動向OpenID ConnectとSCIMの標準化動向
OpenID ConnectとSCIMの標準化動向
 
ソーシャルゲームのためのデータベース設計
ソーシャルゲームのためのデータベース設計ソーシャルゲームのためのデータベース設計
ソーシャルゲームのためのデータベース設計
 
AWS CLIでAssumeRole
AWS CLIでAssumeRoleAWS CLIでAssumeRole
AWS CLIでAssumeRole
 
AWS Black Belt Online Seminar - Amazon Lightsail
AWS Black Belt Online Seminar - Amazon Lightsail AWS Black Belt Online Seminar - Amazon Lightsail
AWS Black Belt Online Seminar - Amazon Lightsail
 
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
クラウドコストを最適化せよ!マルチクラウド時代に届けるクラウド活用2.0
 
Istioサービスメッシュ入門
Istioサービスメッシュ入門Istioサービスメッシュ入門
Istioサービスメッシュ入門
 
AWSからのメール送信
AWSからのメール送信AWSからのメール送信
AWSからのメール送信
 
AWS Black Belt Techシリーズ Amazon EMR
AWS Black Belt Techシリーズ Amazon EMRAWS Black Belt Techシリーズ Amazon EMR
AWS Black Belt Techシリーズ Amazon EMR
 
Fluentdで本番環境を再現
Fluentdで本番環境を再現Fluentdで本番環境を再現
Fluentdで本番環境を再現
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie
 
Amazon GameLift FlexMatch
Amazon GameLift FlexMatchAmazon GameLift FlexMatch
Amazon GameLift FlexMatch
 
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Kubernetes 서비스 자세히 살펴보기 (정영준 & 이창수, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
 

Viewers also liked

Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携kumo2010
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
SR Electricals
SR ElectricalsSR Electricals
SR Electricalsjkprs
 
San valentino
San valentinoSan valentino
San valentinobrontolo8
 
The SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyThe SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyEMC
 
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC
 
Insaat kursu-ankara
Insaat kursu-ankaraInsaat kursu-ankara
Insaat kursu-ankarasersld54
 
American horror story
American horror storyAmerican horror story
American horror storyOmar Berrouho
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data ProtectionEMC
 
Painting development
Painting developmentPainting development
Painting developmentmariaricha
 
Math powerpoint
Math powerpointMath powerpoint
Math powerpointwhiteman22
 

Viewers also liked (15)

Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
SR Electricals
SR ElectricalsSR Electricals
SR Electricals
 
Dario
DarioDario
Dario
 
San valentino
San valentinoSan valentino
San valentino
 
Apple accessories
Apple accessoriesApple accessories
Apple accessories
 
The SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyThe SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy Survey
 
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
 
Insaat kursu-ankara
Insaat kursu-ankaraInsaat kursu-ankara
Insaat kursu-ankara
 
Finance
FinanceFinance
Finance
 
American horror story
American horror storyAmerican horror story
American horror story
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data Protection
 
Clement photo essay
Clement photo essayClement photo essay
Clement photo essay
 
Painting development
Painting developmentPainting development
Painting development
 
Math powerpoint
Math powerpointMath powerpoint
Math powerpoint
 

Similar to Troubleshooting Federation, ADFS, and More

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26BIWUG
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Steve Sofian
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS Germany
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 

Similar to Troubleshooting Federation, ADFS, and More (20)

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web Day
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 

More from Microsoft TechNet - Belgium and Luxembourg

More from Microsoft TechNet - Belgium and Luxembourg (20)

Windows 10: all you need to know!
Windows 10: all you need to know!Windows 10: all you need to know!
Windows 10: all you need to know!
 
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de KeukelaereConfiguration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Deploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr ClientsDeploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr Clients
 
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
 
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware UpdatingHands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
 
Jump start your application monitoring with APM
Jump start your application monitoring with APMJump start your application monitoring with APM
Jump start your application monitoring with APM
 
What’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent ChatWhat’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent Chat
 
What's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & DevicesWhat's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & Devices
 
Office 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and managementOffice 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and management
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options
 
The application model in real life
The application model in real lifeThe application model in real life
The application model in real life
 
Microsoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solutionMicrosoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solution
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
 
Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management
 
Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Troubleshooting Federation, ADFS, and More

  • 1.
  • 2. Agenda Understand AD FS 2.0 key concepts  Understand AD FS 2.0 challenges and common issues  Identify AD FS 2.0 troubleshooting tools and tips and tricks
  • 3. Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for Appx For example: • Name • Group membership Security Token “Authenticates” • User Principal Name (UPN) user to the application • Email address of user • Email address of manager AppX • Phone number Relying party (RP)/ • Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
  • 4. Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STS Partner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
  • 5.
  • 6. X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
  • 7. Seeing it All – Fiddler is a great tool
  • 8. Fiddler as a Man in the Middle Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
  • 9. Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail  For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
  • 10. First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
  • 11. The SAML token is transported in a web page Hidden form with POST method Begins / ends with POST back URL defined via RP configuration in ADFS saml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
  • 12. AD FS Cookies After Authentication with AD FS  MSISSelectionPersistent: identifies authenticating IP-STS  MSISAuth…: authenticated session cookies  MSISSignOut: Keeps track of all RPs to which the session has authenticated  MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
  • 13. Web App Cookies Multiple FedAuth cookies  Allows browser session to remain authenticated to web application
  • 14.
  • 16. Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i ST Specify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i p Permit: specifies claims that will be RP e sent to the relying party Relying Party Trusts l Deny: Not processed i Claims Provider Trusts n e
  • 17. Processing Rules Input claims stream Output claims stream Subsequent rules can process the results of previous rules  A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
  • 18. Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
  • 19. Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log  Source shown as AD FS 2.0 Auditing  Enables issued claims to be viewed Step1 (on AD FS 2.0 server):  Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server):  Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  • 20. AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
  • 21. Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
  • 22.
  • 23. AD FS 2.0 Performance Counters AD FS 2.0 performance counters  AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)  AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter  ServiceModelEndpoint 3.0.0.0(*)*  ServiceModelOperation 3.0.0.0(*)*  ServiceModelService 3.0.0.0(*)* Other performance counters  Memory*, Processor(*)*, Paging File(_Total)*  Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*  APP_POOL_WAS(ADFSAppPool)*  ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*  Web Service(Default Web Site)*  .NET CLR Networking(*)*  Network Interface(*)*  TCPv4*, TCPv6*
  • 24. Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
  • 25. Summary Troubleshooting federation can be tricky Key helpers  Event logs – match correlationIDs  Trace logs for developers  Performance counters  Capture tools  Security auditing While systems are working run captures and become familiar with the normal operations End an argument with Windows Azure Access Control Service (ACS)
  • 26. TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
  • 27. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk