Tuesday, May 7, 2019

ADFS snippets

Terminology: source ITFreeTraining

:Account Partner Org which has accts.
:Resource Partner Org which has resources.
:Claims issued by authenticating company.
:Relying Party trust is used by ADFS to issue claims.
:Claims Provider trust is on the side which accepts claims, Relying party trust on the other side.
:Account Federation server which issues tokens.
:Federation Metadata uses SAML2.0
:ADFS Config DB required to run ADFS. Stores ADFS instance config.
:Primary Federation server- first server added to farm which has read/write copy of Config DB, other servers have read only copy of Config DB.
:Relying Party is the Resource Partner Org
:Resource Federation Server is on Resource Org which accepts claim(embedded in security token) provided by Account Federation Server and replaces it with new claim(what resource to be accessed).
:Claims Aware Application which accepts claim and provides the resource. ex:office365
:Web Application Proxy located in DMZ provides communication between internet and ADFS.
:Private key length for ADFS suggested by MS is 2048
:Relying party trust can be created between two ADFS or ADFS and claim aware app.
:Relying Party trust has three rules-
Issuance Authorization rules:- Defines who can have a claim created for them Ex: only domain users, only users with specific email, allow only external users and block internal users.
Issuance Transform rules:- Defines what data is put into the claim. You can use multiple sources like AD, SQL store ,AD LDS,..
Also the data can be changed if required:- Ex: > Role in Company is required and obtained using Job Title but if the title is not set then you can create a rule to set it to a value in claim.
> If user name is ending with .local then you can change it to .com
Delegation Authorization rules:- Allows a user to be impersonated. When user does not have direct access to claim aware app/server. Improves security.
:Claims Provider Trust The configuration used when accepting claims.
Only one rule -
Acceptance Transform rule - Can change the data in a claim Ex: Can change value int he claim.
Can change claim type Ex: If value came as group but you want user.



ADFS Test env Built Tasks:
1.Create Test AD domain in AWS.
2.Join the ADFS servers to Test Domains.
3.Request SSL cert
4.Configure ADFS with SSL Cert , Self-sign Cert
5.Configure External Web Proxy
6.Setting up internal and External DNS
7.Create ELB in AWS, Port open.
8.Create AD trust between on prem test AD and AWS Test AD.
9.install AAD  and Configure AAD with o365 Test Tenant
10.configure Azure monitoring.
11. ADFS login Home Page customization 
12.open port 80,443,49443  between adfs federation server and proxy DMZ 

Migrate o365 RP connection to 2016 ADFS from 2012 
1. Logon to ADFS 2016 front end server
2. Open Windows Windows PowerShell as Administrator
3. Connect-MsolService
4. Get-MsolDomain
a. Gather list of federated domains from old ADFS server 
5. Set-MSOLADFSContext -Computer <Name of the new ADFS 2016 server>
6. Update O365 relying party trust with new ADFS farm
Command: Update-MsolFederatedDomain –DomainName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain
7. Get-MsolDomain
8. This may take 30 minutes for change to take effect
a. Sign in to O365

O365 SSO connectivity check:


Info:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-azure-ad-trust
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs

Metadata URL : replace server with identity provider
https://server/FederationMetadata/2007-06/FederationMetadata.xml
https://adfsfarmname/FederationMetadata/2007-06/FederationMetadata.xml
login url:
https://adfsfarmname/adfs/ls/idpinitiatedsignon.aspx
Issuer url: [idp entity id] Federation services identifier
http://adfsfarmname/adfs/services/trust
[SSO service url]
https://adfsfarmname/adfs/ls


User Account lockout shows ADFS server in event viewer of AD DC:-
Login to ADFS server - open event viewer and check at the time stamp when lockout reported in AD DC. Will find two events 4625 and 411 with user email address. 411 has IP details (the actual device where lockout occurred).

ADFS event viewer:
When you upgrade to ADFS 3.0 you can set the lockout threshold on ADFS before the AD lockout threshold is reached. This will stop the malicious or bad logins from having ADFS lockout the account on the local network. 
Also in ADFS 3.0 you can see the true client IP (the attempted IP) filter your ADFS logs for all 411 error IDs for the originating IP. In the event IP1 is client IP, IP2 is Microsoft’s O365 IP, IP3 is your ADFS server. 

Found on Spiceworks: https://community.spiceworks.com/topic/673038-continuous-account-lockouts-from-adfs?utm_source=copy_paste&utm_campaign=growth
https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/

Azure portal health report for ADFS farm:

  • Azure AD Connect Health for AD FS 



SSO issues - AWS integrated with ADFS and one day unable to access AWS accounts - Reason: ADFS cert got renewed and the metadata yet to be updated at AWS end.

1. The Token Signing Certificate & Token Decryption – Self Signed Certificate auto Enrollment has been enabled on AD FS.
2. Before 20 days of expiry the new certificate will get generated and automatically enrolled into ADFS.
3. During the enrollment old certificate will be Primary and New Certificate will be Secondary.
4. Post that New Certificate turns Primary and Old Certificate turns Secondary.
5. Unable to login to AWS application because the Metadata was not updated on AWS.
6. Download the new Metadata from the below link as XML file. (use chrome to download - enter URL in address bar and click enter, it will download)
 Link: https://adfsfarmname/FederationMetadata/2007-06/FederationMetadata.xml
7. login to AWS web console with Admin access.
8. Updated the new Metadata file.

Other info:-

claims generator at the following link to create the necessary claims for your ADFS:
https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator

Active Directory Federation Services | Microsoft Docs
https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services

You can also access the below link, ADFSHelp helps you create the correct claim rules:
https://adfshelp.microsoft.com/AadTrustClaims/GenerateClaims

To get details of  relying party trust- ; clip copies the result to clipboard.
Get-AdfsRelyingPartyTrust -Name "xxxxxx" | clip


Relying party trust

Add issuance transform claim rule
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-transform-an-incoming-claim