Wednesday, November 22, 2017

Setup and Enable Certificate Authentication on ADFS 3



Scope:

Get ADFS to do Certificate Auth so IOS Users do not need to login using their AD creds. From Internal Wifi network and from External network. Setup Sharepoint to allow CERT based auth.
Current Setup:
ADFS farm with 2 servers on the Internal Lan and 2 WAP servers on the DMZ. Firewalls exit between External to DMZ and DMZ to Internal.
Does ADFS currently work? YES NTLM, Kerberos and Forms
X.509 isn’t enabled.
One cert used for Service communication and proxy trust adfs.contoso.com public cert via GoDaddy

Things done:

·         Allowed traffic from External to DMZ WAP servers on port 443 and 49443
·         Setup f5 with adfs template and/or VS with L4 layer no SSL offload, automap and source address persistence for 443 and 49443
·         Connectivity between WAP and ADFS servers via the Firewall on port 443 already existed.
·         Enabled Certificate Auth on ADFS for Extranet zone and Intranet zone.
·         Added for AD Claims provider claims rules (not mandatory but added it to be prepared for Office 365 if need be)
o   c:[Type == " http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"]  => issue(claim = c);
o   c:[Type == " http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"]  => issue(claim = c);
·         Enabled WIA only for Windows machines, Macintosh machines (not all IOS devices), Mozilla and chrome, else Ipad and iphones wont get prompted for X.509 if they connect internally (intranet). The commands below are references. Work out yourself how to run these commands and get the desired outcome. Hope you know a bit of powershell.

1.      Execute the following command to get the current list of supported user-agents for NTLM authentication
[System.Collections.ArrayList]$UserAgents = Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
2.      Execute the following command to inject the user agent into a temporary array of user agents already added to ADFS.
$UserAgents.Add(“Mozilla/5.0 (X11”) and Mozilla/5.0 (Macintosh AND Mozilla/5.0 (Windows NT
3.      Execute the following command to commit the change.
Set-ADFSProperties -WIASupportedUserAgents $UserAgents

·         Make sure all your ROOT CAs and Intermediate CAs are installed on local machines in the correct containers.
·         Check ADFS certs are the same on ADFS and WAP
o   Get-adfssslcertificate
o   Get-webapplicationproxysslcertificate
·         IOS devices need all the organisation CA certs on the devices along with the user cert. So the Browsers that you would use to auth using Cert auth. Else you wont get prompted for Cert selection.

Things that were wrong or went wrong:

Adfs.contoso.com cert was renewed after the initial ADFS farm installation. This was done via the MMC console and ADFS console, by created new CSR, get a new public cert from Godaddy CA and then importing and enabling it for service communication on ADFS. After a lot of hours of troubleshooting I found out that the certificate was installed and although ADFS for NTLM, Kerberos and WIA was working fine, X.509 wasn’t working. Would not get a prompt for choosing a cert.
Turns out, if you renew and import the adfs ssl cert via the gui, the following parameter in bold is not flagged correctly for the SSL binding on port 49443
Hostname:port                : adfs.metrotrains.com.au:49443
    Certificate Hash             : b9852b75fc0ba578f1a141172dcbf0e328950140
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled (should be enabled)

To fix it I had to set the ADFS ssl cert again using powershell
                Set-AdfsSslCertificate -Thumbprint
This fixed the issue of not getting prompted for cert when trying to connect to ADFS from the internal network.
The same fix above applies if you don’t get a prompt for user cert when connecting to the WAP boxes. The commands are a bit different.
Get-webapplicationproxysslcertificate to check if the WAP is using the same cert as the ADFS one which is adfs.contoso.com
If it ISN’t you won’t get prompted for user cert when connecting from outside to the WAP and the page will just sit there forever. To fix it,
Run
Install-WebApplicationProxy -CertificateThumbprint “adfs.contoso.com cert thumbprint” -FederationServiceName “adfs.contoso.com

NOTES:
Restart ADFS services after EVERY change you make on the ADFS server. The cert changes need to be performed on every server in the farm. Same applies for the WAP server and WAP also has an additional WAP service that needs to be restarted.
The above task was accomplished with help of various forums. All the articles I looked at were referring to user cert auth as part of MFA, however, I needed user cert auth as a separate signon option.

The articles, links and forums that were helpful with accomplishing the above task were:

Disclaimer:


I’m no expert at ADFS or SAML. I’m still learning. The above solution might not be the perfect fit or so called best practice but it works.
Hopefully someone out there who is facing a similar challenge might find the above useful.
Cheers





1 comment: