Scope:
Get ADFS to do Certificate Auth so IOS Users do not need to
login using their AD creds. From Internal Wifi network and from External
network. Setup Sharepoint to allow CERT based auth.
Current Setup:
ADFS farm with 2 servers on the Internal Lan and 2 WAP
servers on the DMZ. Firewalls exit between External to DMZ and DMZ to Internal.
Does ADFS currently work? YES NTLM, Kerberos and Forms
X.509 isn’t enabled.
One cert used for Service communication and proxy trust
adfs.contoso.com public cert via GoDaddy
Things done:
·
Allowed traffic from External to DMZ WAP servers
on port 443 and 49443
·
Setup f5 with adfs template and/or VS with L4
layer no SSL offload, automap and source address persistence for 443 and 49443
·
Connectivity between WAP and ADFS servers via
the Firewall on port 443 already existed.
·
Enabled Certificate Auth on ADFS for Extranet
zone and Intranet zone.
·
Added for AD Claims provider claims rules (not
mandatory but added it to be prepared for Office 365 if need be)
o
c:[Type ==
"
http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"]
=> issue(claim = c);
o
c:[Type ==
"
http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"]
=> issue(claim = c);
·
Enabled WIA only for Windows machines, Macintosh
machines (not all IOS devices), Mozilla and chrome, else Ipad and iphones wont
get prompted for X.509 if they connect internally (intranet). The commands
below are references. Work out yourself how to run these commands and get the
desired outcome. Hope you know a bit of powershell.
1. Execute the following command to
get the current list of supported user-agents for NTLM authentication
[System.Collections.ArrayList]$UserAgents =
Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
2. Execute the following command to
inject the user agent into a temporary array of user agents already added to
ADFS.
$UserAgents.Add(“Mozilla/5.0
(X11”) and Mozilla/5.0 (Macintosh AND Mozilla/5.0 (Windows NT
3. Execute the following command to
commit the change.
Set-ADFSProperties
-WIASupportedUserAgents $UserAgents
·
Make sure all your ROOT CAs and Intermediate CAs
are installed on local machines in the correct containers.
·
Check ADFS certs are the same on ADFS and WAP
o
Get-adfssslcertificate
o
Get-webapplicationproxysslcertificate
·
IOS devices need all the organisation CA certs
on the devices along with the user cert. So the Browsers that you would use to
auth using Cert auth. Else you wont get prompted for Cert selection.
Things that were wrong or went wrong:
Adfs.contoso.com cert was renewed after the initial ADFS
farm installation. This was done via the MMC console and ADFS console, by
created new CSR, get a new public cert from Godaddy CA and then importing and
enabling it for service communication on ADFS. After a lot of hours of troubleshooting
I found out that the certificate was installed and although ADFS for NTLM, Kerberos
and WIA was working fine, X.509 wasn’t working. Would not get a prompt for
choosing a cert.
Turns out, if you renew and import the adfs ssl cert via the
gui, the following parameter in bold is not flagged correctly for the SSL
binding on port 49443
Hostname:port
: adfs.metrotrains.com.au:49443
Certificate
Hash :
b9852b75fc0ba578f1a141172dcbf0e328950140
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store
Name : MY
Verify Client
Certificate Revocation : Enabled
Verify Revocation
Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation
Freshness Time : 0
URL Retrieval
Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper
Usage : Disabled
Negotiate Client Certificate : Disabled
(should be enabled)
To fix it I had to set the ADFS ssl cert again using
powershell
Set-AdfsSslCertificate
-Thumbprint
This fixed the issue of not getting prompted for cert when
trying to connect to ADFS from the internal network.
The same fix above applies if you don’t get a prompt for
user cert when connecting to the WAP boxes. The commands are a bit different.
Get-webapplicationproxysslcertificate
to check if the WAP is using the same cert as the ADFS one which is
adfs.contoso.com
If it ISN’t you won’t get prompted for user cert when
connecting from outside to the WAP and the page will just sit there forever. To
fix it,
Run
Install-WebApplicationProxy
-CertificateThumbprint “adfs.contoso.com cert thumbprint”
-FederationServiceName “adfs.contoso.com“
NOTES:
Restart ADFS services after EVERY change you make on the ADFS
server. The cert changes need to be performed on every server in the farm. Same
applies for the WAP server and WAP also has an additional WAP service that
needs to be restarted.
The above task was accomplished with help of various forums.
All the articles I looked at were referring to user cert auth as part of MFA,
however, I needed user cert auth as a separate signon option.
The articles, links and forums that were helpful with
accomplishing the above task were:
Disclaimer:
I’m no expert at ADFS or SAML. I’m still learning. The above
solution might not be the perfect fit or so called best practice but it works.
Hopefully someone out there who is facing a similar
challenge might find the above useful.
Cheers
