2. Agenda
Understand AD FS 2.0 key concepts
Understand AD FS 2.0 challenges and common issues
Identify AD FS 2.0 troubleshooting tools and tips and tricks
3. Key Concepts
Issuer IP-STS
Authenticates user Identity Provider (IP)
Security Token Service (STS)
User / Subject /Principal
Requests token for AppX Active
Directory
The Security Token
ST Issues Security Token
Contains claims about the user
crafted for Appx
For example:
• Name
• Group membership Security Token “Authenticates”
• User Principal Name (UPN) user to the application
• Email address of user
• Email address of manager AppX
• Phone number Relying party (RP)/
• Other attribute values Resource provider
Trusts the Security Token
Signed by issuer from the issuer
4. Working with Partners Your Your Partner
Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP
Active
Directory
Browse app
App trusts STS Your STS
Partner trusts your
user Not authenticated partner’s STS
Redirect to your STS
Home realm discovery
Redirected to partner STS requesting ST for partner user
Authenticate
Return ST for consumption by your STS
Redirected to your STS
Return new ST Process token
Send Token
Return cookies
and page
5.
6. X-path Query
Use Find…
Shown as the ActivityID:
Create an XPath form query
8. Fiddler as a Man in the Middle
Fiddler can intercept HTTPS traffic
Creates a certificate that represents the destination website
Browser will display certificate as invalid unless added to certificate
store
If you add it to the store make sure you remove it after testing
9. Man-In-The-Middle Attack Prevention
appcmd.exe set config "Default Web
Site/ADFS/ls" -
section:system.webServer/security/au
thentication/windowsAuthentication
/extendedProtection.tokenChecking:"N
one"
/extendedProtection.flags:"Proxy"
/commit:apphost
Depending on the client and server versions, Channel Binding Token
(CBT) will be enforced to prevent Man-in-the-middle attacks and
authentication will fail
For Fiddler SSL interception temporarily disable CBT on the AD FS server
Configured through the Configuration Editor for the Default Websiteadfsls or via a script
10. First redirect to STS
Decoded redirect URL: %2f decodes to /
https://adfs.example.com/adfs/ls/?
wa=wsignin1.0&
wtrealm=https://site1.example.com/Federation/&
wctx=rm=0&id=passive&ru=%2fFederation%2f&
wct=2011-04-15T15:12:28Z
11. The SAML token is transported in a
web page
Hidden form with POST method
Begins / ends
with POST back URL defined via RP configuration in ADFS
saml:Assertion
SAML claims
SAML
Token
Signature
X.509 Certificate of signing party (includes public key)
Unchanged
wctx=rm=0&id=passive&ru=%2fFederation%2f&
since initial
Submit button request
Java Script to automatically POST page
The SAML data is always signed, it can be encrypted if required
12. AD FS Cookies
After Authentication with AD FS
MSISSelectionPersistent: identifies authenticating IP-STS
MSISAuth…: authenticated session cookies
MSISSignOut: Keeps track of all RPs to which the session has authenticated
MSISLoopDetectionCookie: Prevents multiple authentication request due to
configuration error
Time-out default: 6 request for authentication to same RP within a short space of time
13. Web App Cookies
Multiple FedAuth cookies
Allows browser session to remain authenticated to web application
16. Processing Claims Rules
Specify the users that are
Claims Provider Trusts C permitted to access the
l relying party
AD a
i ST
Specify incoming claims that will m
be accepted from the claims s
provider and passed to the
pipeline
P
i
p
Permit: specifies claims that will be RP
e
sent to the relying party Relying Party Trusts
l
Deny: Not processed i
Claims Provider Trusts
n
e
17. Processing Rules
Input claims stream Output claims stream
Subsequent rules can process the results of previous rules
A custom rule can be created to only add the results to the input stream
Replace the “issue” statement with “add”
18. Using attribute stores
Input claims stream Output claims stream
AD SQL LDAP
Automatically
added
19. Viewing the claims pipeline
AD FS 2.0 can be configured to log events into the security log
Source shown as AD FS 2.0 Auditing
Enables issued claims to be viewed
Step1 (on AD FS 2.0 server):
Via Group or Local Policy
Security SettingsLocal PoliciesUser Rights Management
Add the ADFS service account to the “Generate security audits properties”
Step 2 (on AD FS 2.0 server):
Run
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
20. AD FS 2.0 Security Audits
Step3 (on AD FS 2.0 server):
21. Security Audits Event IDs
Logon
Event ID Claims
4624 provider
Deny input input
Event ID Issuance Acceptance
324 Authorization Rules Transform Rules
Event ID
Permit Event ID
299
process 500
Issuance Rules
Event ID
output input 501
Issuance
Transform Rules
Event ID
299
Event ID
500
22.
23. AD FS 2.0 Performance Counters
AD FS 2.0 performance counters
AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)
AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs
WCF performance counter
ServiceModelEndpoint 3.0.0.0(*)*
ServiceModelOperation 3.0.0.0(*)*
ServiceModelService 3.0.0.0(*)*
Other performance counters
Memory*, Processor(*)*, Paging File(_Total)*
Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*
APP_POOL_WAS(ADFSAppPool)*
ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*
Web Service(Default Web Site)*
.NET CLR Networking(*)*
Network Interface(*)*
TCPv4*, TCPv6*
24. Resources
AD FS 2.0 update rollup 2
AD FS 2.0 troubleshooting guide
AD FS 2.0 SDK (updated in 2012!)
AD FS 2.0 content map
25. Summary
Troubleshooting federation can be tricky
Key helpers
Event logs – match correlationIDs
Trace logs for developers
Performance counters
Capture tools
Security auditing
While systems are working run captures and become familiar with the
normal operations
End an argument with Windows Azure Access Control Service (ACS)
26. TechEd 2013
I will be speaking a TechEd 2013
Precon: Windows Server DirectAccess
Other breakouts
27. Consulting services on request
John.craddock@xtseminars.co.uk
John has designed and implemented computing systems ranging
from high-speed industrial controllers through to distributed IT
systems with a focus on security and high-availability. A key player
in many IT projects for industry leaders including Microsoft, the UK
Government and multi-nationals that require optimized IT systems.
Developed technical training courses that have been published
worldwide, co-authored a highly successful book on Microsoft
Active Directory Internals, presents regularly at major international
conferences including TechEd, IT Forum and European summits.
John can be engaged as a consultant or booked for speaking
engagements through XTSeminars. www.xtseminars.co.uk