1 / 32

Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…. John Craddock, Federation and Security Architect, XTSeminars Lu Zhao, Program Manager, Microsoft . Agenda. Understand AD FS 2.0 key c oncepts Understand AD FS 2.0 challenges and common issues

donnelly
Download Presentation

Troubleshooting Federation, AD FS 2.0, and More…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Troubleshooting Federation, AD FS 2.0, and More… John Craddock, Federation and Security Architect, XTSeminars Lu Zhao, Program Manager, Microsoft

  2. Agenda • Understand AD FS 2.0 key concepts • Understand AD FS 2.0 challenges and common issues • Identify AD FS 2.0 troubleshooting tools and tips and tricks

  3. Issuer IP-STS Key Concepts Authenticates user Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal ActiveDirectory Issues Security Token crafted for Appx ST The Security Token Contains claims about the user • For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer Signed by issuer

  4. Working with Partners ActiveDirectory Your AD FS 2.0 STS Partner AD FS 2.0 STS & IP YourClaims-aware app App trusts STS Your STS trusts yourpartner’s STS Browse app Partneruser Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate ST ST ST ST Return ST for consumption by your STS Redirected to your STS Process token Return new ST Send Token Return cookiesand page

  5. demo Federation in action

  6. X-path Query Use Find… Shown as the ActivityID: Create an XPath form query

  7. Seeing it All – Fiddler is a great tool

  8. Fiddler as a Man in the Middle • Fiddler can intercept HTTPS traffic • Creates a certificate that represents the destination website • Browser will display certificate as invalid unless added to certificate store • If you add it to the store make sure you remove it after testing Browser WinINET Fiddler Webserver Spoof certificate

  9. Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication/extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost • Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail • For Fiddler SSL interception temporarily disable CBT on the AD FS server • Configured through the Configuration Editor for the Default Website\adfs\ls or via a script

  10. First redirect to STS AD FS logon endpoint Action to perform %2f decodes to / Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/&wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp

  11. The SAML token is transported in a web page Begins / ends with saml:Assertion Hidden form with POST method • The SAML data is always signed, it can be encrypted if required POST back URL defined via RP configuration in ADFS SAML claims SAMLToken Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request wctx=rm=0&id=passive&ru=%2fFederation%2f& Submit button Java Script to automatically POST page

  12. AD FS Cookies AD FS • After Authentication with AD FS • MSISSelectionPersistent: identifies authenticating IP-STS • MSISAuth…: authenticated session cookies • MSISSignOut: Keeps track of all RPs to which the session has authenticated • MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error • Time-out default: 6 request for authentication to same RP within a short space of time

  13. Web App Cookies Application • Multiple FedAuth cookies • Allows browser session to remain authenticated to web application

  14. demo Tracing with Fiddler

  15. Managing certificates that establish trust

  16. Communications and trust STS Sign with STStoken signing certificate private key Encrypt with RPencryption certificate public key User RP ST Decrypt with RPencryption certificate private key Validate with STStoken signing certificate public key User trusts website and STS via SSL certificates Certificate path validated and CRL checked

  17. Certificate Issues • Archived certificate become unusable (fixed!) • Support for 3rd party CSP (fixed!) • V3 certificates do not work for token-signing and token-decryption certificates • Run “certutil –viewstore –v My > cert.txt” and look for Keyspec Keyspec=0 if the certificate is a version 3 template • Same signature verification certificate cannot be used across multiple RPs

  18. Processing claims in ADFS

  19. Processing Claims Rules Specify the users that are permitted to access the relying party Claims Provider Trusts ClaimsPipeline Acceptance Transform rules Issuance Authorization rules AD Permit or Deny Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Issuance Transform rules ST Permit: specifies claims that will be sent to the relying party Deny: Not processed RP Relying Party Trusts Claims Provider Trusts

  20. Processing Rules Input claims stream Output claims stream Rule 1 Take from input Result • Subsequent rules can process the results of previous rules • A custom rule can be created to only add the results to the input stream • Replace the “issue” statement with “add” Execute Rule Rule 2 Take from input Result Execute Rule Rule 3 Take from input Result Execute Rule

  21. Using attribute stores Input claims stream Output claims stream Rule 1 Take from input Result Execute Rule Rule extracts values from other attribute stores based on input value(s) Custom attributes stores Forefront Identity Manager AD SQL LDAP Automaticallyadded

  22. Viewing the claims pipeline • AD FS 2.0 can be configured to log events into the security log • Source shown as AD FS 2.0 Auditing • Enables issued claims to be viewed • Step1 (on AD FS 2.0 server): • Via Group or Local Policy • Security Settings\Local Policies\User Rights Management • Add the ADFS service account to the “Generate security audits properties” • Step 2 (on AD FS 2.0 server): • Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

  23. AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):

  24. Security Audits Event IDs ADFS LogonEvent ID 4624 Claimsprovider Deny input input Event ID 324 IssuanceAuthorization Rules AcceptanceTransform Rules Event ID 299 Event ID 500 Permit process Issuance Rules Event ID 501 ST output input IssuanceTransform Rules Token issued to AD FS Event ID 299 Token issued to relying party Event ID 500 AD user and group SIDs Issued claims after processing rules

  25. demo Auditing Name Title Group

  26. AD FS 2.0 Performance Counters • AD FS 2.0 performance counters • \AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec) • AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs • WCF performance counter • \ServiceModelEndpoint3.0.0.0(*)\* • \ServiceModelOperation 3.0.0.0(*)\* • \ServiceModelService 3.0.0.0(*)\* • Other performance counters • \Memory\*, \Processor(*)\*, \Paging File(_Total)\* • \Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\* • \APP_POOL_WAS(ADFSAppPool)\* • \ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\* • \Web Service(Default Web Site)\* • \.NET CLR Networking(*)\* • \Network Interface(*)\* • \TCPv4\*, \TCPv6\*

  27. Resources • AD FS 2.0 update rollup 2 • AD FS 2.0 troubleshooting guide • AD FS 2.0 SDK (updated in 2012!) • AD FS 2.0 content map

  28. Summary • Troubleshooting federation can be tricky • Key helpers • Event logs – match correlationIDs • Trace logs for developers • Performance counters • Capture tools • Security auditing • While systems are working run captures and become familiar with the normal operations • End an argument with ACS

  29. Required Slide Complete an evaluation on CommNet and enter to win!

  30. Required Slide • *delete this box when your slide is finalized • Your MS Tag will be inserted here during the final scrub. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

  31. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related