Presentation is loading. Please wait.

Presentation is loading. Please wait.

Troubleshooting Federation, AD FS 2.0, and More…

Published byDella Francis Modified over 8 years ago

Similar presentations

Presentation on theme: "Troubleshooting Federation, AD FS 2.0, and More…"— Presentation transcript:

1 Troubleshooting Federation, AD FS 2.0, and More…
4/19/2017 8:07 PM Troubleshooting Federation, AD FS 2.0, and More… John Craddock, Federation and Security Architect, XTSeminars Lu Zhao, Program Manager, Microsoft © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Understand AD FS 2.0 key concepts
Understand AD FS 2.0 challenges and common issues Identify AD FS 2.0 troubleshooting tools and tips and tricks

3 Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP)
Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory Issues Security Token crafted for Appx ST The Security Token Contains claims about the user For example: Name Group membership User Principal Name (UPN) address of user address of manager Phone number Other attribute values Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer Signed by issuer

4 Working with Partners App trusts STS Your STS
AD FS 2.0 STS Partner AD FS 2.0 STS & IP Active Directory Your Claims-aware app App trusts STS Your STS trusts your partner’s STS Browse app Partner user Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate ST Return ST for consumption by your STS ST Redirected to your STS Return new ST ST Process token ST Send Token Return cookies and page

5 demo Federation in action 4/19/2017 8:07 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 X-path Query Use Find… Shown as the ActivityID:
Create an XPath form query

7 Seeing it All – Fiddler is a great tool

8 Fiddler as a Man in the Middle
Browser WinINET Fiddler Webserver Spoof certificate Fiddler can intercept HTTPS traffic Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store If you add it to the store make sure you remove it after testing

9 Man-In-The-Middle Attack Prevention
appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS server Configured through the Configuration Editor for the Default Website\adfs\ls or via a script

10 Consumed by RP passed through unchanged by all actors
First redirect to STS AD FS logon endpoint Action to perform Decoded redirect URL: wa=wsignin1.0& wtrealm= wctx=rm=0&id=passive&ru=%2fFederation%2f& wct= T15:12:28Z %2f decodes to / Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp

11 The SAML token is transported in a web page
Begins / ends with saml:Assertion Hidden form with POST method POST back URL defined via RP configuration in ADFS SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request wctx=rm=0&id=passive&ru=%2fFederation%2f& Submit button Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required

12 AD FS Cookies After Authentication with AD FS
MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error Time-out default: 6 request for authentication to same RP within a short space of time

13 Web App Cookies Multiple FedAuth cookies
Application Multiple FedAuth cookies Allows browser session to remain authenticated to web application

14 demo Tracing with Fiddler 4/19/2017 8:07 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Managing certificates that establish trust

16 Communications and trust
STS Sign with STS token signing certificate private key Encrypt with RP encryption certificate public key ST User RP Validate with STS token signing certificate public key Decrypt with RP encryption certificate private key User trusts website and STS via SSL certificates Certificate path validated and CRL checked

17 Certificate Issues Archived certificate become unusable (fixed!)
Support for 3rd party CSP (fixed!) V3 certificates do not work for token-signing and token-decryption certificates Run “certutil –viewstore –v My > cert.txt” and look for Keyspec Keyspec=0 if the certificate is a version 3 template Same signature verification certificate cannot be used across multiple RPs

18 Processing claims in ADFS

19 Processing Claims Rules
Specify the users that are permitted to access the relying party Claims Provider Trusts Claims Pipeline AD Acceptance Transform rules Issuance Authorization rules ST Permit or Deny Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Issuance Transform rules Permit: specifies claims that will be sent to the relying party Deny: Not processed RP Relying Party Trusts Claims Provider Trusts

20 Processing Rules Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule 2 Take from input Result Execute Rule Rule 3 Take from input Result Execute Rule Subsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream Replace the “issue” statement with “add”

21 Using attribute stores
Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule extracts values from other attribute stores based on input value(s) Custom attributes stores Forefront Identity Manager AD SQL LDAP Automatically added

22 Viewing the claims pipeline
AD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewed Step1 (on AD FS 2.0 server): Via Group or Local Policy Security Settings\Local Policies\User Rights Management Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server): Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

23 AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):

24 Security Audits Event IDs
ADFS Logon Event ID 4624 Claims provider Event ID 324 Deny input input Issuance Authorization Rules Acceptance Transform Rules Event ID 299 Permit process Issuance Rules Event ID 500 Event ID 501 output ST input Issuance Transform Rules Token issued to AD FS Event ID 299 Token issued to relying party Event ID 500 AD user and group SIDs Issued claims after processing rules

25 demo Auditing Name Title Group 4/19/2017 8:07 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 AD FS 2.0 Performance Counters
\AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter \ServiceModelEndpoint (*)\* \ServiceModelOperation (*)\* \ServiceModelService (*)\* Other performance counters \Memory\*, \Processor(*)\*, \Paging File(_Total)\* \Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\* \APP_POOL_WAS(ADFSAppPool)\* \ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\* \Web Service(Default Web Site)\* \.NET CLR Networking(*)\* \Network Interface(*)\* \TCPv4\*, \TCPv6\*

27 Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide
AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map

28 Summary Troubleshooting federation can be tricky Key helpers
Event logs – match correlationIDs Trace logs for developers Performance counters Capture tools Security auditing While systems are working run captures and become familiar with the normal operations End an argument with ACS

29 Complete an evaluation on CommNet and enter to win!
Required Slide Complete an evaluation on CommNet and enter to win!

30 MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile
Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

31 4/19/2017 8:07 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 4/19/2017 8:07 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Troubleshooting Federation, AD FS 2.0, and More…"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
steve plank “planky” microsoft Lest we forget windows azure appfab

steve plank “planky” microsoft Lest we forget windows azure appfab
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013

1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
Implementing and Administering AD FS

Implementing and Administering AD FS
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
0 Who Are You and What Do You Want? Working with Oauth in SharePoint 2013 Eric Shupps SharePoint MVP.

0 Who Are You and What Do You Want? Working with Oauth in SharePoint 2013 Eric Shupps SharePoint MVP.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Datacenter LOB web service LOB app Partner Mobile Device.

Datacenter LOB web service LOB app Partner Mobile Device.

Similar presentations

Ads by Google