Troubleshooting Federation, AD FS 2.0, and More…

John CraddockInfrastructure and security ArchitectXTSeminars Ltd

Agenda

Understand AD FS 2.0 key concepts Understand AD FS 2.0 challenges and common

issues Identify AD FS 2.0 troubleshooting tools and tips and

tricks

Key Concepts

Identity Provider (IP)

ActiveDirectory

Security Token Service (STS)

User / Subject /Principal

Requests token for AppX

Issues Security Tokencrafted for Appx

Relying party (RP)/Resource provider

Issuer IP-STS

Trusts the Security Tokenfrom the issuer

The Security TokenContains claims about the user

For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values

Security Token “Authenticates” user to the application

ST

Signed by issuer

AppX

Authenticates user

Process token

Home realm discovery

Redirected to partner STS requesting ST for partner user

Return ST for consumption by your STS

Return new ST

Working with PartnersYour

AD FS 2.0 STSYour

Claims-aware appActive

Directory

Partneruser

PartnerAD FS 2.0 STS & IP

Redirected to your STS

Authenticate

Send Token

Return cookiesand page

Browse app

Not authenticated

Redirect to your STS

ST

ST

ST

ST

App trusts STS Your STStrusts your

partner’s STS

Demo…Federation in action

X-path Query

Shown as the ActivityID:

Create an XPath form query

Use Find…

Seeing it All – Fiddler is a great tool

Fiddler as a Man in the Middle

Fiddler can intercept HTTPS traffic Creates a certificate that represents the destination website

Browser will display certificate as invalid unless added to certificate store If you add it to the store make sure you remove it after testing

Browser WinINET Fiddler Webserver

Spoof certificate

Man-In-The-Middle Attack Prevention

Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail For Fiddler SSL interception temporarily disable CBT on the AD FS

server Configured through the Configuration Editor for the Default Website\adfs\ls or via

a script

appcmd.exe set config "Default Web Site/ADFS/ls" -section:system.webServer/security/authentication/windowsAuthentication /extendedProtection.tokenChecking:"None" /extendedProtection.flags:"Proxy" /commit:apphost

First redirect to STS

Decoded redirect URL:https://adfs.example.com/adfs/ls/?wa=wsignin1.0&wtrealm=https://site1.example.com/Federation/&wctx=rm=0&id=passive&ru=%2fFederation%2f&wct=2011-04-15T15:12:28Z

AD FS logon endpoint

Action to perform

Security realm of RP

Consumed by RP passed through

unchanged by all actors

Time Stamp

%2f decodes to /

The SAML token is transported in a web page

The SAML data is always signed, it can be encrypted if required

Hidden form with POST methodPOST back URL defined via RP configuration in

ADFSSAML claims

SignatureX.509 Certificate of signing party (includes

public key)wctx=rm=0&id=passive&ru=%2fFederation%2f&

Unchanged since initial

requestSubmit button

Java Script to automatically POST page

SAMLToken

Begins / ends with

saml:Assertion

AD FS Cookies

After Authentication with AD FS MSISSelectionPersistent: identifies authenticating IP-STS MSISAuth…: authenticated session cookies MSISSignOut: Keeps track of all RPs to which the session has

authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due

to configuration error Time-out default: 6 request for authentication to same RP within a short space of time

AD FS

Web App Cookies

Multiple FedAuth cookies Allows browser session to remain authenticated to web application

Application

Demo…Tracing with Fiddler

Processing claims in ADFS

Processing Claims Rules

Claims Pipeline

AD

Issuance Transform rules

Issuance Authorization

rulesPermit or Deny

RP

ST

Acceptance Transform rules

Relying Party Trusts

Claims Provider Trusts

Specify the users that are permitted to

access the relying party

Specify incoming claims that will be accepted from the

claims provider and passed to the pipeline

Permit: specifies claims that will be sent to the relying party

Deny: Not processed

Claims Provider Trusts

Processing Rules

Subsequent rules can process the results of previous rules A custom rule can be created to only add the results to the input stream

Replace the “issue” statement with “add”

Rule 1Take from input Execute Rule

Result

Input claims stream Output claims stream

Rule 2Take from input Execute Rule

Result

Rule 3Take from input Execute Rule

Result

Using attribute stores

Rule 1Take from input Execute Rule

Result

Input claims stream Output claims stream

Rule extracts values from other attribute stores based on input value(s)

SQL LDAPAD

Custom attributes stores

Forefront Identity Manager

Automaticallyadded

Viewing the claims pipeline

AD FS 2.0 can be configured to log events into the security log Source shown as AD FS 2.0 Auditing Enables issued claims to be viewed

Step1 (on AD FS 2.0 server): Via Group or Local Policy

Security Settings\Local Policies\User Rights Management Add the ADFS service account to the “Generate security audits properties”

Step 2 (on AD FS 2.0 server): Run

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

AD FS 2.0 Security Audits

Step3 (on AD FS 2.0 server):

Security Audits Event IDs

IssuanceAuthorization Rules

Claimsprovider

AcceptanceTransform Rules

input

IssuanceTransform Rules

output

input

input

ADFSLogon

Event ID 4624

Event ID 501

Event ID 324

Deny

Event ID 500

Permitprocess

Issuance Rules

Event ID 299

Event ID 299

Event ID 500

Issued claims after processing rules

Token issued to AD FS

AD user and group SIDs

Token issued to relying party

ST

Demo…Auditing

AD FS 2.0 Performance Counters

AD FS 2.0 performance counters \AD FS 2.0\* (ex. token requests/sec, federation metadata requests/sec) AD FS 2.0 update rollup introduced a new performance counter and fixed some performance

bugs

WCF performance counter \ServiceModelEndpoint 3.0.0.0(*)\* \ServiceModelOperation 3.0.0.0(*)\* \ServiceModelService 3.0.0.0(*)\*

Other performance counters \Memory\*, \Processor(*)\*, \Paging File(_Total)\* \Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)\* \APP_POOL_WAS(ADFSAppPool)\* \ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)\* \Web Service(Default Web Site)\* \.NET CLR Networking(*)\* \Network Interface(*)\* \TCPv4\*, \TCPv6\*

Resources

AD FS 2.0 update rollup 2AD FS 2.0 troubleshooting guideAD FS 2.0 SDK (updated in 2012!)AD FS 2.0 content map

Summary

Troubleshooting federation can be trickyKey helpers Event logs – match correlationIDs

Trace logs for developers Performance counters Capture tools Security auditing

While systems are working run captures and become familiar with the normal operationsEnd an argument with Windows Azure Access Control Service (ACS)

TechEd 2013

I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts

Consulting services on request

John.craddock@xtseminars.co.uk

John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

John Craddoc

kInfrastructure and security ArchitectXTSeminars Ltd