Troubleshooting Federation, ADFS, and More

8,419 views

Published on

More info on http://techdays.be.

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Great Deck - while dated the content is still relevant
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
8,419
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
192
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Troubleshooting Federation, ADFS, and More

  1. 1. AgendaUnderstand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshooting tools and tips and tricks
  2. 2. Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS)User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for AppxFor example:• Name• Group membership Security Token “Authenticates”• User Principal Name (UPN) user to the application• Email address of user• Email address of manager AppX• Phone number Relying party (RP)/• Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
  3. 3. Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STSPartner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
  4. 4. X-path Query Use Find…Shown as the ActivityID: Create an XPath form query
  5. 5. Seeing it All – Fiddler is a great tool
  6. 6. Fiddler as a Man in the MiddleFiddler can intercept HTTPS traffic Creates a certificate that represents the destination websiteBrowser will display certificate as invalid unless added to certificatestore If you add it to the store make sure you remove it after testing
  7. 7. Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphostDepending on the client and server versions, Channel Binding Token(CBT) will be enforced to prevent Man-in-the-middle attacks andauthentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
  8. 8. First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
  9. 9. The SAML token is transported in aweb page Hidden form with POST methodBegins / ends with POST back URL defined via RP configuration in ADFSsaml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
  10. 10. AD FS CookiesAfter Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
  11. 11. Web App CookiesMultiple FedAuth cookies Allows browser session to remain authenticated to web application
  12. 12. Processing claims in ADFS
  13. 13. Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i STSpecify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i pPermit: specifies claims that will be RP esent to the relying party Relying Party Trusts lDeny: Not processed i Claims Provider Trusts n e
  14. 14. Processing Rules Input claims stream Output claims streamSubsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
  15. 15. Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
  16. 16. Viewing the claims pipelineAD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewedStep1 (on AD FS 2.0 server): Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties”Step 2 (on AD FS 2.0 server): Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  17. 17. AD FS 2.0 Security AuditsStep3 (on AD FS 2.0 server):
  18. 18. Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
  19. 19. AD FS 2.0 Performance CountersAD FS 2.0 performance counters AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugsWCF performance counter ServiceModelEndpoint 3.0.0.0(*)* ServiceModelOperation 3.0.0.0(*)* ServiceModelService 3.0.0.0(*)*Other performance counters Memory*, Processor(*)*, Paging File(_Total)* Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)* APP_POOL_WAS(ADFSAppPool)* ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)* Web Service(Default Web Site)* .NET CLR Networking(*)* Network Interface(*)* TCPv4*, TCPv6*
  20. 20. ResourcesAD FS 2.0 update rollup 2AD FS 2.0 troubleshooting guideAD FS 2.0 SDK (updated in 2012!)AD FS 2.0 content map
  21. 21. SummaryTroubleshooting federation can be trickyKey helpers Event logs – match correlationIDs  Trace logs for developers Performance counters Capture tools Security auditingWhile systems are working run captures and become familiar with thenormal operationsEnd an argument with Windows Azure Access Control Service (ACS)
  22. 22. TechEd 2013I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
  23. 23. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

×