ADFS Knowledge Transfer

Assessment & Side-by-Side Workshop

Microsoft Confidential 1
Agenda

Microsoft Confidential 3
Agenda
• Why ADFS ?
• What is ADFS
• Key Terminologies

• AD FS Deployment
• AD FS Farm Roles
• AD FS Farm Topologies
• High Availability Consideration
• AD FS Extranet Lockout and Extranet Smart Lockout
• Configuring Relying Party Trusts
• Troubleshooting
• AD FS Event Logs
• AD FS Auditing

• Additional References

4
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

Why AD FS ?

Microsoft Confidential 5
Why AD FS?

How to make internal or hosted Historically, web applications used

applications available to authentication designed for the
Intranet.
business partners and other
Available authentication schemes were:
organizations? • Anonymous Authentication
• Basic Authentication
• Windows Integrated Authentication (NTLM)
• Windows Integrated Authentication (Kerberos)
• Forms-Based Authentication
• Certificate-Based Authentication

Microsoft Confidential 6
Why AD FS? (cont.)

Providing another organization access to a web application required either

A Windows trust between Forests or

Shadow accounts in the Forest hosting the web application

Microsoft Confidential 7
Why AD FS? (cont.)

Moving to the cloud Claims-Based AD FS is the Microsoft

prompts for a new Authentication method solution for Claims-
authentication Based Authentication,
• Complement actual
scheme authentication methods like
acting as Security
Kerberos. Token Service (STS).
• Provide a powerful abstraction
for identity.
• Independent of attribute store
(AD, SQL, LDS)
• Simplify authentication logic.

Microsoft Confidential 8
Why AD FS? (cont.)

A Security Token Service (STS) allows

• The web application to hand authentication off to a trusted service
• Identify and authenticate users based on claims
• Chains of trust between STS’s to be built facilitating multi-org access to applications

Authentication is provided by means of tokens that

• Identify the user
• Are cryptographically signed with digital certificates (establishing trust)
• Are transported using SSL encrypted HTTP

Microsoft Confidential 9
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

What is ADFS Key Terminologies

Microsoft Confidential 10
ADFS - Key Terminologies
Term Description
ADFS AD FS is the Microsoft solution for Claims-Based Authentication, acting as Security
Token Service (STS).
Security Token Service A web service that authenticates clients. The STS issues security tokens to authenticated
(STS) clients.
Claims A federation service that issues claims for a particular transaction .
Provider/Identity
Provider
Relying Party/Service A federation service or application that consumes claims.
Provider
Security Assertion An OASIS specification that defines how to use HTTP web browser redirects to
Markup Language exchange assertions data. SAML is used to authenticate and authorize users across
(SAML) secure boundaries.
 SAML Token The data format for communicating claims between a claim's provider and a relying party.
AD FS 2.x and higher uses both SAML 1.1 and SAML 2.0 formats.

Microsoft Confidential 11
ADFS - Key Terminologies
Terms Description
WS-Trust: The SOAP protocol, which is defined by the WS-Trust specifications, for requesting claims
from a claim's provider.

WS-Federation: An OASIS standard specification that defines the WS-Federation Passive protocol and
other protocol extensions that are used for federation.

Claim A piece of identity information.

Microsoft Confidential 12
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

AD FS Deployment AD FS Farm Roles

Microsoft Confidential 13
AD FS Farm Roles – Federation Server

The Federation Server

Holds the Issues
configuration for authentication Interfaces with
trust relationships tokens for access Audits other services
with applications to trusting authentication (e.g. Device Is Domain Joined
and/or other applications attempts Registration
Security Token and/or Security Service)
Services (STS) Token Services

Microsoft Confidential 14
AD FS Farm Roles – AD FS Configuration Database

The AD FS Configuration Database

Stores the AD FS Farm Configuration (trusts, certificates, logon page formatting etc.)

Stores the configuration for the Web Application Proxy (published web sites)

May utilize Windows Internal Database (WID) or SQL Server

Microsoft Confidential 15
AD FS Farm Roles – Web Application Proxy

Web Application Proxy servers reside in the perimeter network and

• Provide reverse proxy functionality for web applications
• Provide proxy authentication requests to AD FS farm servers
• Usually reside in a workgroup (not domain-joined)
• Tag authentication requests as coming from outside the LAN
• Can be Domain joined for usage of Constrained delegation

Microsoft Confidential 16
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

ADFS Deployment AD FS Farm Topologies

Microsoft Confidential 17
AD FS Farm Topologies – Single Server with WID

2012 R2 and higher: Single server farm

with WID

This topology provides no high availability Application ADFS Web Application Proxy
Server Server
Internet

Domain Internal
Controller User

Internal Network Perimeter Network

External User

Microsoft Confidential 18
AD FS Farm Topologies - Federation Farm with WID

Recommended deployment topology

Pros WID

• Easy to implement
Internal User
Pull
Replication
over
ADFS 1 WAP 1
• Load balancing and fault tolerance possible
HTTP

Internet
• Easily scalable
Load Balancer Load Balancer
WID

ADFS 2 WAP 2

Internal Network Perimeter Network

External User

Microsoft Confidential 19
 AD FS Farm Topologies - Federation Farm with WID

Recommended deployment topology

WID
Cons
Pull
Internal User • Supports limit of 30 AD FS servers
Replication
over
HTTP ADFS 1 WAP 1
• Support limit of 100 trust entries
Internet
WID
Load Balancer Load Balancer • No support for SAML artifact resolution
• No support for token replay detection >
ADFS 2 WAP 2
Server 2016 brings Token Binding
Internal Network Perimeter Network
External User
• Configuration changes only on primary
federation server

Microsoft Confidential 20
AD FS Farm Topologies - Federation Farm with SQL
Pros
• No limit to the number of AD FS servers
• Load balancing and fault tolerance possible
• Easily scalable
• Supports SAML artifact resolution and token replay detection
• Configuration changes on any AD FS server

Internal User

ADFS 1 WAP 1

SQL Internet
Load Balancer Load Balancer

ADFS 2 WAP 2

Internal Network Perimeter Network

External User
Microsoft Confidential 21
AD FS Farm Topologies - Federation Farm with SQL
Cons
• More complex setup
• Dependent on SQL Server
• Makes high availability (HA) more difficult

Internal User

ADFS 1 WAP 1

SQL Internet
Load Balancer Load Balancer

ADFS 2 WAP 2

Internal Network Perimeter Network

External User

Microsoft Confidential 22
 AD FS Farm Topologies – DNS Considerations
fs.contoso.com fs.contoso.com
DNS DNS

ADFS 1 WAP 1

Internet
Load Balancer Load Balancer

ADFS 2 Internal User WAP 2

Internal Network Perimeter Network

External User

Split-brain DNS is required when users reside inside and outside the network
• Internal users must resolve to internal VIP for AD FS servers
• External users resolve to external VIP for WAP servers
• WAP servers must resolve to internal VIP for ADFS servers

Microsoft Confidential 23
Number of Federation Servers and WAP
Use the AD FS 2016/2019 Capacity Planning spreadsheet:
http://adfsdocs.blob.core.windows.net/adfs/ADFSCapacity2016.xlsx
Number of Users Minimum Number of Servers Recommendation
Up to 70.000 2 dedicated AD FS servers Install AD FS in a Farm
2 dedicated WAP Configure Load Balancing
70.000 – 200.000 3 to 5 dedicated AD FS servers Support 70% of all users logging in at
More than 2 dedicated WAP once, even when losing 1 server
Based on these server specifications:
Hardware Specifications
CPU speed Dual Quad Core 2.27GHz CPU (8 cores)
RAM 4 gigabytes (GB)
Network Gigabit
Microsoft Confidential 24
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

ADFS Deployment High Availability Consideration

Microsoft Confidential 25
 High Availability Considerations with WID
• WID is on each AD FS server
• No need for fault tolerance at the database level

• Replicates using a HTTP endpoint (not SQL Server replication)

• Default port 80 but can be changed
• Default 5 minute interval but can be changed

• If primary AD FS server is offline

• Users can still authenticate to other AD FS servers
• Changes cannot be made by administrators
• Proxy trust with WAP servers can’t be renewed (Also if replication isn’t working)

• Primary can be moved to another server using PowerShell

Microsoft Confidential 26
 High Availability Considerations with SQL
• SQL does not run on AD FS servers

• If SQL Server is unreachable by AD FS, users cannot authenticate

• Fault tolerance must be implemented in SQL Server

• For previous (Windows 2012 and older) versions of AD FS

• Two SQL Clusters in different datacentres
• Synchronous mirroring required between clusters
• Consider witness server for automatic failover

• AD FS must be configured with failover partner

• …Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>…

• For AD FS in Windows Server 2012 R2 or newer consider using SQL Always On

Microsoft Confidential 27
 High Availability Considerations Across Datacentres
Consider deploying across datacentres using a global or site load balancer

Microsoft Confidential 28
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

ADFS Deployment AD FS Extranet Lockout and

Extranet Smart Lockout

Microsoft Confidential 29
 AD FS Extranet Lockout and Extranet Smart Lockout
• AD FS validates user credentials against Active Directory

• Customers often use Account Lockout policies in their AD Forests

• Customer needs to protect their credentials from brute force attacks

• Attacker can target accounts through ADFS public endpoints

• Together, these present a Denial of Service attack vector to the Internet

• Many failed user logins against AD FS would lead to lockout of internal AD accounts

Microsoft Confidential 30
 AD FS Extranet Lockout and Extranet Smart Lockout
• Windows Server 2012 R2 includes an Extranet Soft Lockout feature that
• Is independent of Active Directory account lockout
• Protects against extranet brute force password guessing

• AD FS Extranet Account Soft allows

• A separate password lockout policy for extranet logins
• Extranet user lockout independent of Active Directory account lockout

Microsoft Confidential 31
 AD FS Extranet Lockout and Extranet Smart Lockout
• Windows Server 2016 (June 2018 update) includes an Extranet Smart Lockout
feature that
• Differentiate sign-in attempts from familiar or unknow location
• Can lockout attackers while letting valid users continue to use their accounts
• Prevents denial-of-service on the user and protects against targeted attacks
• Leverage Extranet Soft lockout feature and avoid Active Directory lockouts
• Has a log only mode so that the system can learn good and potentially malicious sign
on activity without disabling any accounts

Microsoft Confidential 32
 AD FS Extranet Lockout and Extranet Smart Lockout
• Windows Server 2019 includes an additional Extranet Smart Lockout feature
that:
• Set independent lockout thresholds for familiar and unfamiliar locations so that users in
known good locations can have more room for error than requests from suspect
locations
• Enable audit mode for smart lockout while continuing to enforce previous soft lockout
behavior

Microsoft Confidential 33
 Configure AD FS Extranet Soft Lockout
• Enable Extranet Soft Lockout using (For Windows Server 2012 R2):
Set-AdfsProperties -EnableExtranetLockout $True

• Configure Extranet Account Lockout using (e.g. 5 bad attempts ):

Set-AdfsProperties –ExtranetLockoutThreshold 5

• Configure Extranet Account Lockout duration using (e.g. 60 minutes):

$Timespan = New-TimeSpan -Minutes 60
Set-AdfsProperties -ExtranetObservationWindow $Timespan

• Allow failback to other domain controller if the PDC is unavailable (Starting with Server 2016)
Set-AdfsProperties –ExtranetLockoutRequirePDC $False

Microsoft Confidential 34
 Configure AD FS Extranet Smart Lockout
• Requisites to enable Extranet Smart Lockout
• All Windows Server 2016 AD FS servers are up to date as of the June 2018 Windows
Updates
• Farm Behaviour Level is Windows Server 2016 or 2019
• Ensure AD FS Audit Logging is enabled

• Update Artifact Database Permission

$cred = Get-Credential
Update-AdfsArtifactDatabasePermission -Credential $cred

Microsoft Confidential 35
 Configure AD FS Extranet Smart Lockout
• Extranet Smart Lockout Mode
• ADPasswordCounter – This is ADFS “extranet soft lockout” mode which does not
differentiate based on location. This is the default value.
• ADFSSmartLockoutLogOnly – This is Extranet Smart Lockout, but instead of rejecting
authentication requests, AD FS will only write admin and audit events.
• ADFSSmartLockoutEnforce - This is Extranet Smart Lockout with full support for
blocking unfamiliar requests when the thresholds are reached.

• To enable Extranet Smart Lockout set the parameters the same way you do with
Soft Lockout and then set the desired mode

Microsoft Confidential 36
 Configure AD FS Extranet Smart Lockout
• Set Lockout Mode to Log Only
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly
• ADFS will log audit events and learn users familiar location but does not block any request.

• Restart AD FS Service on all Farm members.

• It should be temporary so system can learn the behaviour before enforcing the lockout
setting.

• PowerShell can be used to determine if the lockout occurred from familiar or unfamiliar IP
addresses

Get-ADFSAccountActivity [email protected]

Microsoft Confidential 37
 Configure AD FS Extranet Smart Lockout
• Set Lockout Mode to Enforce
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutEnforce
• Restart AD FS Service on all Farm members.

• Audit user activity using Event logs and manage user activity with PowerShell

• Add familiar location address to a user account

Set-ADFSAccountActivity [email protected] -AdditionalFamiliarIps “1.2.3.4”

• Reset Lockout counter for a user account

Reset-ADFSAccountLockout [email protected] –Location Unknown/Familiar

Microsoft Confidential 38
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

Add the Application as a Relying

Configuring Relying Party Trusts Party to AD FS

Microsoft Confidential 39
Add the Application as a Relying Party to AD FS

Configuring an The STS must be Types of Relying Party

application to trust the configured to issue Trusts
STS is just the first step tokens to the • Claims-aware
application • Non-claims-aware
• The application is
referred to as a
relying party

Microsoft Confidential 40
Add the Application as a Relying Party to AD FS

Microsoft Confidential 41
Add the Application as a Relying Party to AD FS

Relying party information may be provided via Federation Metadata

• Published on an accessible URL or
• Supplied in a file

Alternatively, relying parties may be configured manually

• Requires information from the application developer/vendor

Microsoft Confidential 42
Add the Application as a Relying Party to AD FS

Microsoft Confidential 43
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

Troubleshooting AD FS Event Logs

Microsoft Confidential 44
AD FS Event Logs
• AD FS Event logs are found at Application And Services Logs > AD FS
• Relevant events for authentication errors and configuration
• By default, verbose level of logging is enabled

• Get-ADFSProperties | select -expandproperty LogLevel

• Modify default log level setting using PowerShell

• Set-ADFSProperties –LogLevel
Verbose,Errors,Warnings,Information,FailureAudits,SuccessAudits

• Windows Identity Foundation (WIF) also generates errors that appear in exception
details
Microsoft Confidential 45
AD FS Event Logs

• Security Event logs add more information about the authentication

process
• Need to enable AD FS Auditing

• Device Registration Event logs are found at Application And Services

Logs > Device Registration Service

Microsoft Confidential 46
AD FS Event Logs
• Correlation Activity ID enables tracking of all
session related events
• Activity ID is displayed on error message at
logon page
• Need to correlate authentication errors with
event logs
• In Event Viewer
• Use Find to locate events with the same
Activity ID
• Use XML Query to filter events with Activity
ID
Microsoft Confidential 47
AD FS Event Logs
• To Filter events with the same Activity ID, create a custom query and use the
following XML Query Template
<QueryList>
<Query Id="0" Path="AD FS/Admin">
<Select Path="AD FS/Admin">*[System[Correlation[@ActivityID='{00000000-0000-0000- 0400-
0080000000ac}']]]</Select>
</Query>
</QueryList>

Microsoft Confidential 48
AD FS Debug Trace Logs
• Enabling debug tracing for AD FS provides an extended set of events that can help
troubleshoot issues
• AD FS uses the Event Tracing for Windows (ETW) framework to log traces
• AD FS Debug logging is not enabled by default
• Default trace log size is 10 GB, overwrites older log file data
• Device Registration Service also has a Debug Log
• Change Trace log properties using Event Log Microsoft Management Console
• To enable verbose trace logging, use event viewer
• Click View > Show Analytic And Debug Logs
• Will open AD FS Tracing under Application and Service Logs.
Microsoft Confidential 49
AD FS Debug Trace Logs

Microsoft Confidential 50
AD FS Debug Trace Logs

Microsoft Confidential 51
ADFS Knowledge
Transfer
Assessment & Side-by-Side Workshop

Troubleshooting AD FS Auditing

Microsoft Confidential 52
AD FS Security Audit
• AD FS can be configured for security audit

Events are logged in the Source shows as AD FS Enable issued claims to be

Security Log Auditing viewed

• Auditing must be enabled on:

AD FS Management
Policy (local or GPO)
Console

• Windows Server 2016 adds new auditing features

Microsoft Confidential 53
New AD FS Audit Features
• Windows Server introduces Audit Level Setting

Get-AdfsProperties | Select AuditLevel

Audit Level Powershell Syntax Description

None Set-AdfsProperties -AuditLevel None Auditing is disabled and no events will be
logged.
Basic Set-AdfsProperties -AuditLevel Basic No more than 5 events will be logged for a
(Default) single request
Verbose Set-AdfsProperties -AuditLevel Verbose All events will be logged. This will log a
significant amount of information per request.

Microsoft Confidential 54
New AD FS Audit Features
• Windows Server introduces new Audit Events
EventId Audit Event Type Description
1200 Application Token Success A request where a security token is issued successfully by the
Federation Service.
1201 Application Token Failure A request where security token issuance failed on the Federation
Service.
1202 Fresh Credential Validation A request where fresh credentials are validated successfully by the
Success Federation Service.
1203 Fresh Credential Validation A request where fresh credential validation failed on the
Error Federation Service.
1204 Password Change Request A transaction where the password change request was
Success successfully processed by the Federation Service.
1205 Password Change Request A transaction where the password change request failed to be
Error processed by the Federation Service.
1206 Sign Out Success Describes a successful sign-out request.
Microsoft Confidential 55
1207
Additional References
• ADFS Docs

• What's new in Active Directory Federation Services

• AD FS Deployment

• Best practices for securing Active Directory Federation Services

• ADFS FAQ's

Microsoft Confidential 56
Microsoft Confidential 57