SlideShare une entreprise Scribd logo

Troubleshooting Federation, ADFS, and More

Télécharger en tant que PPTX, PDF
Microsoft TechNet - Belgium and Luxembourg
Microsoft TechNet - Belgium and Luxembourg

More info on http://techdays.be.

Technologie
1  sur  27
Agenda Understand AD FS 2.0 key concepts  Understand AD FS 2.0 challenges and common issues  Identify AD FS 2.0 troubleshooting tools and tips and tricks
Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for Appx For example: • Name • Group membership Security Token “Authenticates” • User Principal Name (UPN) user to the application • Email address of user • Email address of manager AppX • Phone number Relying party (RP)/ • Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STS Partner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the Middle Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail  For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
The SAML token is transported in a web page Hidden form with POST method Begins / ends with POST back URL defined via RP configuration in ADFS saml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
AD FS Cookies After Authentication with AD FS  MSISSelectionPersistent: identifies authenticating IP-STS  MSISAuth…: authenticated session cookies  MSISSignOut: Keeps track of all RPs to which the session has authenticated  MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
Web App Cookies Multiple FedAuth cookies  Allows browser session to remain authenticated to web application
Processing claims in ADFS
Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i ST Specify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i p Permit: specifies claims that will be RP e sent to the relying party Relying Party Trusts l Deny: Not processed i Claims Provider Trusts n e
Processing Rules Input claims stream Output claims stream Subsequent rules can process the results of previous rules  A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log  Source shown as AD FS 2.0 Auditing  Enables issued claims to be viewed Step1 (on AD FS 2.0 server):  Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server):  Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
AD FS 2.0 Performance Counters AD FS 2.0 performance counters  AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)  AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter  ServiceModelEndpoint 3.0.0.0(*)*  ServiceModelOperation 3.0.0.0(*)*  ServiceModelService 3.0.0.0(*)* Other performance counters  Memory*, Processor(*)*, Paging File(_Total)*  Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*  APP_POOL_WAS(ADFSAppPool)*  ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*  Web Service(Default Web Site)*  .NET CLR Networking(*)*  Network Interface(*)*  TCPv4*, TCPv6*
Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
Summary Troubleshooting federation can be tricky Key helpers  Event logs – match correlationIDs  Trace logs for developers  Performance counters  Capture tools  Security auditing While systems are working run captures and become familiar with the normal operations End an argument with Windows Azure Access Control Service (ACS)
TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

Recommandé

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint ManagerGeorge Grammatikos
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysNordic APIs
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
アイデンティティ管理の基礎~Fim adfsアーキテクチャ
アイデンティティ管理の基礎~Fim adfsアーキテクチャアイデンティティ管理の基礎~Fim adfsアーキテクチャ
アイデンティティ管理の基礎~Fim adfsアーキテクチャNaohiro Fujie
 
What Is Spring?
What Is Spring?What Is Spring?
What Is Spring?VMware Tanzu
 
IBM websphere application server types of profiles
IBM websphere application server types of profilesIBM websphere application server types of profiles
IBM websphere application server types of profilesKuldeep Saxena
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 

Recommandé

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint ManagerGeorge Grammatikos
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysNordic APIs
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
アイデンティティ管理の基礎~Fim adfsアーキテクチャ
アイデンティティ管理の基礎~Fim adfsアーキテクチャアイデンティティ管理の基礎~Fim adfsアーキテクチャ
アイデンティティ管理の基礎~Fim adfsアーキテクチャNaohiro Fujie
 
What Is Spring?
What Is Spring?What Is Spring?
What Is Spring?VMware Tanzu
 
IBM websphere application server types of profiles
IBM websphere application server types of profilesIBM websphere application server types of profiles
IBM websphere application server types of profilesKuldeep Saxena
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Best practices for migrating from SharePoint Designer to Power Automate
Best practices for migrating from SharePoint Designer to Power AutomateBest practices for migrating from SharePoint Designer to Power Automate
Best practices for migrating from SharePoint Designer to Power AutomateWilliam Huneycutt, II
 
Preparing for az 900 exam
Preparing for az 900 examPreparing for az 900 exam
Preparing for az 900 examRavikiran Srinivasulu
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarJoseph Holbrook, Chief Learning Officer (CLO)
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortPriyank Sharma
 
endpoint-central-it-admin.pptx
endpoint-central-it-admin.pptxendpoint-central-it-admin.pptx
endpoint-central-it-admin.pptxTriLe786508
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudArek Rafflewski
 
PowerApps
PowerAppsPowerApps
PowerAppsPenny Coventry
 
Java J2EE
Java J2EEJava J2EE
Java J2EESandeep Rawat
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsAmazon Web Services
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionSalesforce - Sweden, Denmark, Norway
 
プロトコルから見るID連携
プロトコルから見るID連携プロトコルから見るID連携
プロトコルから見るID連携Naohiro Fujie
 
Introduction to Apache Synapse
Introduction to Apache SynapseIntroduction to Apache Synapse
Introduction to Apache SynapseHiranya Jayathilaka
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStartSumo Logic
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
AWS DataSync.pdf
AWS DataSync.pdfAWS DataSync.pdf
AWS DataSync.pdfManas Mondal
 
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018Amazon Web Services
 
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携kumo2010
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 

Contenu connexe

Tendances

Best practices for migrating from SharePoint Designer to Power Automate
Best practices for migrating from SharePoint Designer to Power AutomateBest practices for migrating from SharePoint Designer to Power Automate
Best practices for migrating from SharePoint Designer to Power AutomateWilliam Huneycutt, II
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortPriyank Sharma
 
endpoint-central-it-admin.pptx
endpoint-central-it-admin.pptxendpoint-central-it-admin.pptx
endpoint-central-it-admin.pptxTriLe786508
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudArek Rafflewski
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsAmazon Web Services
 
プロトコルから見るID連携
プロトコルから見るID連携プロトコルから見るID連携
プロトコルから見るID連携Naohiro Fujie
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStartSumo Logic
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018Amazon Web Services
 

Tendances (20)

Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
CyberArk
CyberArkCyberArk
CyberArk
 
Best practices for migrating from SharePoint Designer to Power Automate
Best practices for migrating from SharePoint Designer to Power AutomateBest practices for migrating from SharePoint Designer to Power Automate
Best practices for migrating from SharePoint Designer to Power Automate
 
Preparing for az 900 exam
Preparing for az 900 examPreparing for az 900 exam
Preparing for az 900 exam
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in Short
 
endpoint-central-it-admin.pptx
endpoint-central-it-admin.pptxendpoint-central-it-admin.pptx
endpoint-central-it-admin.pptx
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing Cloud
 
PowerApps
PowerAppsPowerApps
PowerApps
 
Java J2EE
Java J2EEJava J2EE
Java J2EE
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure Workloads
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
 
プロトコルから見るID連携
プロトコルから見るID連携プロトコルから見るID連携
プロトコルから見るID連携
 
Introduction to Apache Synapse
Introduction to Apache SynapseIntroduction to Apache Synapse
Introduction to Apache Synapse
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStart
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro Tips
 
AWS DataSync.pdf
AWS DataSync.pdfAWS DataSync.pdf
AWS DataSync.pdf
 
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
 

En vedette

Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携kumo2010
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
SR Electricals
SR ElectricalsSR Electricals
SR Electricalsjkprs
 
San valentino
San valentinoSan valentino
San valentinobrontolo8
 
The SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyThe SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyEMC
 
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC
 
Insaat kursu-ankara
Insaat kursu-ankaraInsaat kursu-ankara
Insaat kursu-ankarasersld54
 
American horror story
American horror storyAmerican horror story
American horror storyOmar Berrouho
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data ProtectionEMC
 
Painting development
Painting developmentPainting development
Painting developmentmariaricha
 
Math powerpoint
Math powerpointMath powerpoint
Math powerpointwhiteman22
 

En vedette (15)

Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
SR Electricals
SR ElectricalsSR Electricals
SR Electricals
 
Dario
DarioDario
Dario
 
San valentino
San valentinoSan valentino
San valentino
 
Apple accessories
Apple accessoriesApple accessories
Apple accessories
 
The SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyThe SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy Survey
 
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
 
Insaat kursu-ankara
Insaat kursu-ankaraInsaat kursu-ankara
Insaat kursu-ankara
 
Finance
FinanceFinance
Finance
 
American horror story
American horror storyAmerican horror story
American horror story
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data Protection
 
Clement photo essay
Clement photo essayClement photo essay
Clement photo essay
 
Painting development
Painting developmentPainting development
Painting development
 
Math powerpoint
Math powerpointMath powerpoint
Math powerpoint
 

Similaire à Troubleshooting Federation, ADFS, and More

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26BIWUG
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Steve Sofian
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS Germany
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 

Similaire à Troubleshooting Federation, ADFS, and More (20)

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web Day
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 

Plus de Microsoft TechNet - Belgium and Luxembourg

Plus de Microsoft TechNet - Belgium and Luxembourg (20)

Windows 10: all you need to know!
Windows 10: all you need to know!Windows 10: all you need to know!
Windows 10: all you need to know!
 
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de KeukelaereConfiguration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Deploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr ClientsDeploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr Clients
 
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
 
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware UpdatingHands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
 
Jump start your application monitoring with APM
Jump start your application monitoring with APMJump start your application monitoring with APM
Jump start your application monitoring with APM
 
What’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent ChatWhat’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent Chat
 
What's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & DevicesWhat's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & Devices
 
Office 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and managementOffice 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and management
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options
 
The application model in real life
The application model in real lifeThe application model in real life
The application model in real life
 
Microsoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solutionMicrosoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solution
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
 
Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management
 
Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM
 

Dernier

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Troubleshooting Federation, ADFS, and More

  • 1.
  • 2. Agenda Understand AD FS 2.0 key concepts  Understand AD FS 2.0 challenges and common issues  Identify AD FS 2.0 troubleshooting tools and tips and tricks
  • 3. Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for Appx For example: • Name • Group membership Security Token “Authenticates” • User Principal Name (UPN) user to the application • Email address of user • Email address of manager AppX • Phone number Relying party (RP)/ • Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
  • 4. Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STS Partner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
  • 5.
  • 6. X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
  • 7. Seeing it All – Fiddler is a great tool
  • 8. Fiddler as a Man in the Middle Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
  • 9. Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail  For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
  • 10. First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
  • 11. The SAML token is transported in a web page Hidden form with POST method Begins / ends with POST back URL defined via RP configuration in ADFS saml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
  • 12. AD FS Cookies After Authentication with AD FS  MSISSelectionPersistent: identifies authenticating IP-STS  MSISAuth…: authenticated session cookies  MSISSignOut: Keeps track of all RPs to which the session has authenticated  MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
  • 13. Web App Cookies Multiple FedAuth cookies  Allows browser session to remain authenticated to web application
  • 14.
  • 16. Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i ST Specify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i p Permit: specifies claims that will be RP e sent to the relying party Relying Party Trusts l Deny: Not processed i Claims Provider Trusts n e
  • 17. Processing Rules Input claims stream Output claims stream Subsequent rules can process the results of previous rules  A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
  • 18. Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
  • 19. Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log  Source shown as AD FS 2.0 Auditing  Enables issued claims to be viewed Step1 (on AD FS 2.0 server):  Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server):  Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  • 20. AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
  • 21. Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
  • 22.
  • 23. AD FS 2.0 Performance Counters AD FS 2.0 performance counters  AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)  AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter  ServiceModelEndpoint 3.0.0.0(*)*  ServiceModelOperation 3.0.0.0(*)*  ServiceModelService 3.0.0.0(*)* Other performance counters  Memory*, Processor(*)*, Paging File(_Total)*  Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*  APP_POOL_WAS(ADFSAppPool)*  ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*  Web Service(Default Web Site)*  .NET CLR Networking(*)*  Network Interface(*)*  TCPv4*, TCPv6*
  • 24. Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
  • 25. Summary Troubleshooting federation can be tricky Key helpers  Event logs – match correlationIDs  Trace logs for developers  Performance counters  Capture tools  Security auditing While systems are working run captures and become familiar with the normal operations End an argument with Windows Azure Access Control Service (ACS)
  • 26. TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
  • 27. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk