Troubleshooting Federation, AD FS 2.0, and More… 4/19/2017 8:07 PM Troubleshooting Federation, AD FS 2.0, and More… John Craddock, Federation and Security Architect, XTSeminars Lu Zhao, Program Manager, Microsoft © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Understand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshooting tools and tips and tricks

Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory Issues Security Token crafted for Appx ST The Security Token Contains claims about the user For example: Name Group membership User Principal Name (UPN) Email address of user Email address of manager Phone number Other attribute values Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer Signed by issuer

Working with Partners App trusts STS Your STS AD FS 2.0 STS Partner AD FS 2.0 STS & IP Active Directory Your Claims-aware app App trusts STS Your STS trusts your partner’s STS Browse app Partner user Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate ST Return ST for consumption by your STS ST Redirected to your STS Return new ST ST Process token ST Send Token Return cookies and page

demo Federation in action 4/19/2017 8:07 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

X-path Query Use Find… Shown as the ActivityID: Create an XPath form query

Seeing it All – Fiddler is a great tool

Fiddler as a Man in the Middle Browser WinINET Fiddler Webserver Spoof certificate Fiddler can intercept HTTPS traffic Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store If you add it to the store make sure you remove it after testing

Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS server Configured through the Configuration Editor for the Default Website\adfs\ls or via a script

Consumed by RP passed through unchanged by all actors First redirect to STS AD FS logon endpoint Action to perform Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z %2f decodes to / Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp

The SAML token is transported in a web page Begins / ends with saml:Assertion Hidden form with POST method POST back URL defined via RP configuration in ADFS SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request wctx=rm=0&id=passive&ru=%2fFederation%2f& Submit button Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required

AD FS Cookies After Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error Time-out default: 6 request for authentication to same RP within a short space of time

Web App Cookies Multiple FedAuth cookies Application Multiple FedAuth cookies Allows browser session to remain authenticated to web application

demo Tracing with Fiddler 4/19/2017 8:07 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Managing certificates that establish trust

Communications and trust STS Sign with STS token signing certificate private key Encrypt with RP encryption certificate public key ST User RP Validate with STS token signing certificate public key Decrypt with RP encryption certificate private key User trusts website and STS via SSL certificates Certificate path validated and CRL checked

Certificate Issues Archived certificate become unusable (fixed!) Support for 3rd party CSP (fixed!) V3 certificates do not work for token-signing and token-decryption certificates Run “certutil –viewstore –v My > cert.txt” and look for Keyspec Keyspec=0 if the certificate is a version 3 template Same signature verification certificate cannot be used across multiple RPs

Processing claims in ADFS

Processing Claims Rules Specify the users that are permitted to access the relying party Claims Provider Trusts Claims Pipeline AD Acceptance Transform rules Issuance Authorization rules ST Permit or Deny Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Issuance Transform rules Permit: specifies claims that will be sent to the relying party Deny: Not processed RP Relying Party Trusts Claims Provider Trusts

Processing Rules Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule 2 Take from input Result Execute Rule Rule 3 Take from input Result Execute Rule Subsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream Replace the “issue” statement with “add”

Using attribute stores Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule extracts values from other attribute stores based on input value(s) Custom attributes stores Forefront Identity Manager AD SQL LDAP Automatically added

Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewed Step1 (on AD FS 2.0 server): Via Group or Local Policy Security Settings\Local Policies\User Rights Management Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server): Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):

Security Audits Event IDs ADFS Logon Event ID 4624 Claims provider Event ID 324 Deny input input Issuance Authorization Rules Acceptance Transform Rules Event ID 299 Permit process Issuance Rules Event ID 500 Event ID 501 output ST input Issuance Transform Rules Token issued to AD FS Event ID 299 Token issued to relying party Event ID 500 AD user and group SIDs Issued claims after processing rules

demo Auditing Name Title Group 4/19/2017 8:07 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AD FS 2.0 Performance Counters \AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter \ServiceModelEndpoint 3.0.0.0(*)\* \ServiceModelOperation 3.0.0.0(*)\* \ServiceModelService 3.0.0.0(*)\* Other performance counters \Memory\*, \Processor(*)\*, \Paging File(_Total)\* \Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\* \APP_POOL_WAS(ADFSAppPool)\* \ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\* \Web Service(Default Web Site)\* \.NET CLR Networking(*)\* \Network Interface(*)\* \TCPv4\*, \TCPv6\*

Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map

Summary Troubleshooting federation can be tricky Key helpers Event logs – match correlationIDs Trace logs for developers Performance counters Capture tools Security auditing While systems are working run captures and become familiar with the normal operations End an argument with ACS

Complete an evaluation on CommNet and enter to win! Required Slide Complete an evaluation on CommNet and enter to win!

MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

4/19/2017 8:07 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/19/2017 8:07 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.