Deep dive into AD FS and MS WAP – User Certificate Authentication through a WAP

Posted on August 24, 2017 by mattfeltonma

Hi everyone,

Today I continue my series of posts that cover a behind the scenes look at how Active Directory Federation Service (AD FS) and the Microsoft Web Application Proxy (WAP) interact. In my first post I explained the business cases that would call for the usage of a WAP. In my second post I did a deep dive into the WAP registration process (MS refers to this as the trust establishment with AD FS and the WAP). In this post I decided to cover how user certificate authentication is achieved when AD FS server is placed behind the WAP.

AD FS offers a few different options to authenticate users to the service including Integrated Windows Authentication (IWA), forms-based authentication, and certificate authentication. Readers who work in environments with sensitive data where assurance of a user’s identity is important should be familiar with certificate authentication in the Microsoft world. If you’re unfamiliar with it I recommend you take a read through this Microsoft article.

With the recent release of the National Institute of Standards and Technology (NIST) Digital Identity Guidelines 800-63 which reworks the authenticator assurance levels (AAL) and relegates passwords to AAL1 only, organizations will be looking for other authenticator options. Given the maturity of authenticators that make use of certificates such as the traditional smart card it’s likely many organizations will look at opportunities for how the existing equipment and infrastructure can be further utilized. So all the more important we understand how AD FS certificate authentication works.

I’ll be using the lab I described in my first post. I made the following modifications/additions to the lab:

Configure Active Directory Certificate Services (AD CS) certificate authority (CA) to include certificate revocation list (CRL) distribution point (CDP). The CRLs will be served up via an IIS instance with the address crl.journeyofthegeek.com. This is the only CDP listed in the certificates. Certificates created during my original lab setup that are installed within the infrastructure do not include a CDP.
Added a non-domain-joined Windows 10 computer which be used as the endpoint the test user accesses the federation service from.

Tool-wise I used ProcMon, Fiddler, API Monitor, and WireShark.

So what did I discover?

Prior to doing any type of user interaction, I setup the tools I would be using moving forward. On the WAP I started ProcMon as an Administrator and configured my filters to capture only TCP Send and TCP Receive operations. I also setup WireShark using a filter of ip.addr==192.168.100.10 && tcp.port==80. The IP address is the IP of the web server hosting my CRLs. This would ensure I’d see the name of the process making the connection to the CDP as well as the conversation between the two nodes.

** Note that the machine will cache the CRLs after they are successfully downloaded from the CDP. It will not make any further calls until the CRLs expire. To get around this behavior while I was testing I ran the command certutil -setreg chain\ChainCacheResyncFiletime @now as outlined in this article. This forces the machine to pull the CRLs again from the CDP regardless of whether or not they are expired. I ran the command as the LOCAL SYSTEM security principal using psexec.

The final step was to start Fiddler as the NETWORK SERVICE security principal using the command psexec -i -u “NT AUTHORITY\Network Service” “C:\Program Files (x86)\Fiddler2\Fiddler.exe”. Remember that Fiddler needs the public key certificate in the appropriate file location as I outlined in my last post. Recall that the Web Application Proxy Service and the Active Directory Federation Service running on the WAP both run as that security principal.

Once all the tools were in place I logged into the non-domain joined Windows 10 box and opened up Microsoft Edge and popped the username of my test user into the username field.

After home realm discovery occurred within Azure AD, I received the forms-based login page of my AD FS instance.

Let’s take a look at what’s happened on the WAP so far.

In the initial HTTP Connect session the WAP makes to the AD FS farm, we see that the ClientHello handshake occurs where the WAP authenticates to the AD FS server to authenticate itself as described in my last post.

Once the secure session is established the WAP passes the HTTP GET request to the AD FS server. It adds a number of headers to the request which AD FS consumes to identify the client is coming from the WAP. This information is used for a number of AD FS features such as enforcing additional authentication policies for Extranet access.

The WAP also passes a number of query strings. There are a few interesting query strings here. The first is the client-request-id which is a unique identifier for the session that AD FS uses to correlate event log errors with the session. The username is obvious and shows the user’s user principal name that was inputted in the username field at the O365 login page. The wa query string shows a value of wsignin1.0 indicating the usage of WS-Federation. The wtrealm indicates the relying party identifier of the application, in this case Azure AD.

The wctx query string is quite interesting and needs to be parsed a bit on its own. Breaking down the value in the parameter we come across three unique parameters.

LoginOptions=3 indicates that the user has not selected the “Keep me signed in” option. If the user had selected that checkbox a value of 1 would have been passed and AD FS would create a persistent cookie which would exist even after the browser closes. This option is sometimes preferable for customers when opening documents from SharePoint Online so the user does not have to authenticate over and over.

The estsredirect contains the encoded and signed authentication request from O365. I stared at API monitor for a few hours going API call by API call trying to identify what this looks like once it’s decoded, but was unsuccessful. If you know how to decode it, I’d love to know. I’m very curious as to its contents.

The WAP next makes another HTTP GET to the AD FS server this time including the additional query string of pullStatus which is set equal to 0. I’m clueless as to the function on of this, I couldn’t find anything. The only other thing that changes is the referer.

My best guess on the above two sessions is the first session is where AD FS performs home realm discovery and maybe some processing on to determine if there are any special configurations for the WAP such as limited or expanded authentication options (device authN, certAuthN only). The second session is simply the AD FS server presenting the authentication methods configured for Extranet users.

The user then chooses the “Sign in with an X.509 certificate” (I’m not using SNI to host both forms and cert authN on the same port) and the WAP then performs another HTTP CONNECT to port 49443 which is the certificate authentication endpoint on the AD FS server. It again authenticates to the AD FS server with its client certificate prior to establishing the secure tunnel.

The third session we see a HTTP POST to the AD FS server with the same query parameters as our previous request but also providing a JSON object with a key of AuthMethod and the key value combination of AuthMethod=CertificateAuthentication in the body.

The next session is another HTTP POST with the same JSON object content and the key value pairs of AuthMethod=CertificateAuthentication and RetrieveCertificate=1 in the body. The AD FS server sends a 307 Temporary Redirect to the /adfs/backendproxytls/ endpoint on the AD FS server.

Prior to the redirect completing successful we see the calls to the CDP endpoint for the full and delta CRLs.

I was curious as to which process was pulling the CRLs and identified it was LSASS.EXE from the ProcMon capture.

At the /adfs/backendproxytls/ endpoint the WAP performs another HTTP POST this time posting a JSON object with a number of key value combinations.

The interesting key value types included in the JSON object are the nested JSON object for Headers which contains all the WAP headers I covered earlier. The query string JSON object which contains all the query strings I covered earlier. The SeralizedClientCertificate contains the certificate the user provided after selecting to use certificate authentication. The AD FS server then sends back a cookie to the WAP. This cookie is the cookie the representing the user’s authentication to the AD FS server as detailed in this link.

The WAP then performs a final HTTP GET back at the /adfs/ls/ endpoint including the previously described headers and query strings as well as provided the cookie it just received. The AD FS server responds by providing the assertion requested by Microsoft along with a MSISAuthenticated, MSISSignOut, and MSISLoopDetectionCookie cookies which are described in the link above.

What did we learn?

The certificate is checked at both the WAP and the AD FS server to ensure it is valid and issued from a trusted certificate authority. Remember to verify you trust the certificate chain of any user certificates on both the AD FS servers and WAPs.
CRL Revocation checking is enabled by default and is performed on both the AD FS server and the WAP. Remember to verify the locations in your CDP are available by both devices.
The AD FS servers use the LSALogonUser function in the secur32.dll library to perform standard certificate authentication to Active Directory Domain Services. I didn’t include this, but I captured this by running API monitor on the AD FS server.

In short, if you’re going to use device authentication or user certificate authentication make sure you have your PKI components in order.

See you next post!

Deep dive into AD FS and MS WAP – WAP Registration

Posted on August 8, 2017 by mattfeltonma

Hi everyone,

In today’s blog entry I’ll be doing a deep dive into how the Microsoft Web Application Proxy (WAP) established a trust with the Active Directory Federation Service (AD FS) (I’ll be referring to this as registration) in order to act as a reverse proxy for AD FS. In my first entry into this series I covered the business use cases that would call for such an integration as well as providing an overview of the lab environment I’ll be using for the series. So what does registration mean? Well, the best way to describe it is to see it in action.

Figuring out how to capture the conversation took some trial and error. This is where Sysinternals Process Explorer comes into play. I went through the process of registering the WAP with AD FS using the Remote Access Management Console configuration utility and monitored the running processes with Process Explorer. Upon reviewing the TCP/IP activity of the Remote Access Management Console process (RAMgmtUI.exe) I observed TCP connectivity to the AD FS farm.

RemoteReg

The process is running as the logged in user, in my case the administrator account I’ve configured. This meant I would need to run Fiddler using the logged in user context rather than having to do some funky with running it as SYSTEM or another security principal using PSEXEC.

I started up Fiddler and configured it to intercept HTTPS traffic as per the configuration below. Ensure that you’ve trusted the Fiddler root certificate so Fiddler can establish a man-in-the-middle (MITM) scenario.

I next ran the Remote Access Management Console and initiated the Web Application Proxy Configuration wizard. Here I ran the wizard a few different times specifying invalid credentials on the AD FS server to generate some web requests. The web conversation below popped up Fiddler.

Digging into the third session shows an HTTP POST to sts.journeyofthegeek.com/adfs/Proxy/EstablishTrust with a return code of 401 Unauthorized which we would expect given our application doesn’t know if authentication is required yet and didn’t specify an Authorization header.

estab1

Session four shows another HTTP POST to the same URL this time with an Authorization header specifying Basic authentication with our credentials Base64 encoded. We receive another 401 because we have invalid credentials which again is expected.

What’s interesting is the JSON object being posted to the URL. The JWT includes a key named SerializedTrustCertificate with a value of a Base64 encoded public-key certificate as the value.

Copy and pasting the encoded value to notepad and saving the file with a CER extension yields the certificate below of which the WAP has both the public and private key pairs. The certificate is a 2048-bit key length self-signed certificate.

At this point the WAP will attempt numerous connections to the /adfs/Proxy/GetConfiguration URL with a query string of api-version=2 as seen in the screenshot below. It will receive a 401 back because Fiddler needs a copy of the client certificate to provide to the AD FS server. At this point I let it time out and eventually the setup finished.

So what does the configuration information look like from AD FS when it’s successfully retrieved? So to see that we have to now pay attention to the Microsoft.IdentityServer.ProxyService.exe process which runs as the Active Directory Federation Services service (adfssrv).

Since the process runs as Network Service I needed to get a bit creative in how I captured the conversation with Fiddler. The first step is to export the public-key certificate for the self-signed certificate generated by the WAP, name it ClientCertificate.cer, and to store it in the Network Service profile folder in C:\Windows\ServiceProfiles\NetworkService\Documents\Fiddler2. By doing this Fiddler will use that certificate for any website requiring client certificate authentication.

The next step was to start Fiddler as the Network Service security principal. To do this I used PSEXEC with the following options:

Psexec -i -u “NT AUTHORITY\Network Service” “C:\Program Files (x86)\Fiddler2\Fiddler.exe.

I then restarted the Active Directory Federation Service on the WAP and boom there are our successful GET from the AD FS server at the /adfs/Proxy/GetConfiguration URL.

The WAP receives back a JSON object with all the configuration information for the AD FS server as seen below. Much of this is information about endpoints the AD FS server is supporting. Beyond that we get information the AD FS service configuration. The WAP uses this configuration to setup its bindings with the HTTP.SYS kernel mode driver. Yes the WAP uses HTTP.SYS in the same way AD FS uses it.

So what did we learn? When establishing the trust with the AD FS server (I’m branding this registration 🙂 ) the WAP does the following:

Generates a 2048-bit self-signed certificate
Opens an HTTPS connection with an AD FS server
Performs a POST on /adfs/Proxy/EstablishTrust providing a JSON object containing the public key certificate and authenticating to the AD FS server with the credentials provided with the wizard using Basic authentication.If the authentication is successful the AD FS server establishes the trust. (I’ll dig into this piece in the next post)
Performs a GET on /adfs/Proxy/GetConfiguration using the self-signed certificate to authenticate itself to the AD FS server.
Consumes the configuration information and configures the appropriate endpoints with calls to HTTP.SYS.

So that’s the WAP side of the fence for establishing the trust. In my next post I’ll briefly cover what goes on with the AD FS server as well as examining the LDAP calls (if any) to AD DS during the registration process.

See you next time!

Helpful hints for resolving AD FS problems – Part 2

Posted on June 10, 2017 by mattfeltonma

Welcome back to part two of my series of posts which looks at resolving problems with AD FS. You can check out part 1 here. In this post I’ll look another problem you may encounter while administering the service.

With the introduction of AD FS 2012 R2, Microsoft de-coupled AD FS from IIS. AD FS running on MS versions 2012 R2 or later now use the HTTP Server API (more often referred to as HTTP.SYS). HTTP.SYS is a kernal mode drive that was introduced in Windows Server 2003 and is used by a Windows system to listen for HTTP and HTTPS requests (check out this article for a detailed breakdown of how it works.) Infrastructure services such as IIS and WINRM use the driver. By integrating AD FS directly with HTTP.SYS, Microsoft was able to cut the footprint of the solution by eliminating the need for IIS. Awesome right? Of course it is, however, it is a bit more challenging to troubleshoot.

Issue 2: Replacing the AD FS Service Communications certificate

The service communications certificate is one of the “big three” certificates used within an AD FS implementation. The certificate that is assigned as the service communications certificate is used to protect web communication between clients and the AD FS service (i.e. SSL/TLS). Like any certificate, it will have a standard lifecycle and will eventually need to be replaced. When that time comes, you can run into a very interesting problem depending on how you go about replacing that certificate.

If you’ve been managing an AD FS instance for any period of time, you’ve more than likely become quite familiar with the AD FS Management Console. When replacing the certificate in AD FS 2012 R2 or above, you may be tempted to use the Set Service Communications Certificate action seen below. Let’s give it a try shall we?

ADFSMMCSC

I first requested a new web certificate from the instance of AD CS through the Certificate MMC and placed it in the Computer store. I then granted READ access to the private key for the service account AD FS is using. After that I used the Set Service Communications Certificate action and selected the new certificate. A quick check of the thumbprint of the certificate now being used matches the thumbprint of the new certificate (pay attention to the thumbprint, I’ll reference it again later). Last step is to restart the AD FS service.

Screen Shot 2017-06-10 at 3.12.06 PM.png

Let’s now test the sample claim app I described in my first post.

Screen Shot 2017-06-10 at 2.58.35 PM

Uh oh. What happened? A check of the Application, System, and AD FS Admin logs shows no errors or warning nor does the AD FS Debug after another attempt. Heck, even the log for the HTTP.SYS kernal driver httperr.log in C:\Windows\System32\LogFiles\HTTPERR is empty. This is yet another instance of where the answer could not be found in any of the logs I reviewed because it’s another error related to the integration with HTTP.SYS. What to do next?

Much of the administration of the integration with HTTP.SYS is doing using netsh. Here we’re going to look at the certificate bindings configured for the HTTP listeners using the command http showsslcert from the netsh command prompt.

Screen Shot 2017-06-10 at 3.07.19 PM.png

Well our bindings are there, but look at the thumbprint: 12506a00b40617b096002089383015bbbb99e970. That thumbprint does not match the thumbprint for the new certificate I set for the Service Communications certificate. So what happened? My best guess is when one of the HTTPS listeners are hit, the configuration in the AD FS database does not match the configuration of the HTTP.SYS listeners causing AD FS to crash. How do we fix it? Come to find out from this blog, there is one additional command that needs to be run to setup the listeners with the proper bindings, Set-AdfsSslCertificate. After using the Set-AdfsSslCertificate and setting it with the new thumbprint then restarting the AD FS service, netsh http showsslcert now shows the correct thumbprint and the sample claim app is now working as expected.

Screen Shot 2017-06-10 at 3.26.51 PM

What you should take from this post is that while integrating with HTTP.SYS helps to limit the AD FS footprint, it also adds some intricacies to troubleshooting the service when it stops working. In the next and final post in this series I will cover an issue that can pop up when a Web Application Proxy (WAP) is integrated in the mix.

See you next post!

Active Directory Federation Services – SQL Attribute Store

Posted on May 28, 2017 by mattfeltonma

Hi everyone,

I recently had a use case come across my desk where I needed to do a SAML integration with a SaaS provider. The provider required a number of pieces of information about the user beyond the standard unique identifier. The additional information would be used to direct the user to the appropriate instance of the SaaS application.

In the past fifty or so SAML integrations I’ve done, I’ve been able to source my data directly from the Active Directory store. This was because Active Directory was authoritative for the data or there was a reliable data synchronization process in place such that the data was being sourced from an authoritative source. In this scenario, neither options was available. Thankfully the data source I needed to hit to get the missing data exposed a subset of its data through a Microsoft SQL view.

I have done a lot in AD FS over the past few years from design to operational support of the service, but I had never sourced information from a data source hosted via MS SQL Server. I reviewed the Microsoft documentation available via TechNet and found it to be lacking. Further searches across MS blogs and third-party blogs provided a number of “bits” of information but no real end to end guide. Given the lack of solid content, I decided it would be fun to put one together so off to Azure I went.

For the lab environment, I built the following:

Active Director forest name – geekintheweeds.com
Server 1 – SERVERDC (Windows Server 2016)
- Active Directory Domain Services
- Active Directory Domain Naming Services
- Active Directory Certificate Services
Server 2 – SERVER-ADFS (Windows Server 2016)
- Active Directory Federation Services
- Microsoft SQL Server Express 2016
Server 3 – SERVER-WEB (Windows Server 2016)
- Microsoft IIS

On SERVER-WEB I installed the sample claims application referenced here. Make sure to follow the instructions in the blog to save yourself some headaches. There are plenty of blogs out there that discuss building a lab consisting the of the services outlined above, so I won’t cover those details.

On SERVER-ADFS I created a database named hrdb within the same instance as the AD FS databases. Within the database I created a table named dbo.EmployeeInfo with 5 columns named givenName, surName, email, userName, and role all of data type nvchar(MAX). The userName column contained the unique values I used to relate a user object in Active Directory back to a record in the SQL database.

Once the database was created and populated with some sample data and the appropriate Active Directory user objects were created, it was time to begin to configure the connectivity between AD FS and MS SQL. Before we go creating the new attribute store, the AD FS service account needs appropriate permissions to access the SQL database. I went the easy route and gave the service account the db_datareader role on the database, although the CONNECT and SELECT permissions would have probably been sufficient.

After the service account was given appropriate permissions the next step was to configure it as an attribute store in AD FS. To that I opened the AD FS management console, expanded the service node, and right-clicked on the Attribute Store and selected the Add Attribute Store option. I used mysql as the store name and selected SQL option from the drop-down box. My SQL was a bit rusty so the connection string took a few tries to get right.

I then created a new claim description to hold the role information I was pulling from the SQL database.

The last step in the process was to create some claim rules to pull data from the SQL database. Pulling data from a MS SQL datastore requires the use of custom claim rules. If you’re unfamiliar with the custom claim language, the following two links are two of the best I’ve found on the net:

The first claim rule I created was a rule to query Active Directory via LDAP for the SAM-Account-Name attribute. This is the attribute I would be using to query the SQL database for the user’s unique record.

Next up I had my first custom claim rule where I queried the SQL database for the value in the userName column for the value of the SAM-Account-Name I pulled from earlier step and I requested back the value in the email column of the record that was returned. Since I wanted to do some transforming of the information in a later step, I added the claim to incoming claim set.

I then issued another query for the value in the role column.

Finally, I performed some transforms to verify I was getting the appropriate data that I wanted. I converted the email address claim type to the Common Name type and the custom claim definition role I referenced above to the out of the box role claim definition. I then hit the endpoint for the sample claim app and… VICTORY!

Simple right? Well it would be if this information had been documented within a single link. Either way, I had some good lessons learned that I will share with you now:

Do NOT copy and paste claim rules. I chased a number of red herrings trying to figure out why my claim rule was being rejected. More than likely the copy/paste added an invalid character I was unable to see.
Brush up on your MS SQL before you attempt this. My SQL was super rusty and it caused me to go down a number of paths which wasted time. Thankfully, my worker Jeff Lee was there to add some brain power and help work through the issues.

Before I sign off, I want to thank my coworker Jeff Lee for helping out on this one. It was a great learning experience for both of us.

Thanks and have a wonderful Memorial Day!

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life and technology

Tag Archives: Active Directory Federation Services

Helpful hints for resolving AD FS problems – Part 2

Active Directory Federation Services – SQL Attribute Store