January 2011 - Posts

ADFS v2 Troubleshooting
26 January 11 12:20 PM | forefrontsecurity | with no comments

I published few weeks earlier a post about ADFS v2, mentioning that it was a bit complicated to troubleshoot,

I recently had to solve an ADFS problem I encountered with a colleague that was trying to set it up for Office 365 Federation bear in mind that I am working with the beta version of office 365

Again, troubleshooting was not obvious, i would like to share with you the steps I followed in order to find out what was the problem.

First of all here is a small design of the architecture i was working with:

clip_image002

Let’s call the domain Company.test

The user we are working with TestUser6@company.com (we had a custom UPN added to the domain company.test)

The point of this configuration is to enable invisible and integrated authentication to the office 365 website.

When configuring the ADFS V2 server, we tell it to publish the ADFS authentication website to STS.Company.test, so basically when users try to authenticate to the microsoftonline website they are redirected to the sts.company.test ADFS website for authentication.

This is the basic configuration of the federation service :

clip_image004

The ADFS relaying party trust configuration is done automatically through some PowerShell scripts

The configuration as is works perfectly, you are able to login to the microsoftonline website with your Active directory credentials.

Now here is the tricky part, the client requested that the sts.company.test website be turned into sts.company.com

So we reconfigure the federation service into .com

clip_image006

I will skip the whole configuration but basically you need to generate a new certificate for the sts.company.com and bind it in IIS and then add it to the ADFS configuration interface.

Now after updating the relaying party trust

We can’t login to the microsoftonline website we get this error:

clip_image008

And now begins the troubleshooting

First of all

Install Fiddler or HTTP watch on the client computer:

http://www.fiddler2.com/fiddler2/

http://www.httpwatch.com/?gclid=CL2lwaix1aYCFdERfAodcjTrMw

Then install the MS network monitor on the federation server and the domain controller:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

Activate the logging and tracing events on the federation server:

clip_image010

Go to the event viewer and enable the analytic and debug logs

clip_image012

And enable the ADFS 2.0 tracing logs:

clip_image014

Enable auditing of ADFS events by running this command on the ADFS Server

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

you are now ready to monitor follow the course of your SAML ticket and see where the error appears:

let’s start by monitoring what’s happening on the client when trying to connect to the website:

I used HTTP watch Pro to check this:

This shows that this client does switch to the STS adfs website sending it the logon information

clip_image016

Looking into the details of this trace we find that all the information sent to the ADFS server is correct:

clip_image018

Query string sent:

clip_image020

now let’s monitor the traffic going through the ADFS Server

using network monitor choose to filter your events by Authentication:

this is what you should get:

clip_image022

Highlighted in yellow is the traffic between the AD and the ADFS server

Checking the details of this trafic we see the user with which we tried to logon to the website is actually getting to the AD

clip_image024

And the AD replies with success sending the requested info to the ADFS server.

clip_image026

For now, everything seems to be fine with the ADFS Server and the traffic going through.

Let’s check the logs for more info:

The trace logs shows that the authentication process is all okay

clip_image028

The admin log only shows errors related to the ADFS Service, and this is all okay too

clip_image029

The system log shows us the Audit events related to the ADFS authentication request with Active Directory and in my case that was clean too

All this troubleshooting lead us to believe that the issue was with the MS online service that was still in beta and did not support some of the setting changes we made

The issue will however be solved soon,

This post was to lead you through an ADFS troubleshooting process

Hope this helps

 

Posted by Hicham Bardawil

UAG SP1 Transparent Logon with ADFS V2
07 January 11 04:40 PM | forefrontsecurity | with no comments

Forefront UAG’s Service pack 1 was recently released and with it the ability to automatically login to your UAG portal without the need to manually authenticate. This feature is activated when configuring ADFS V2 as an authentication repository.

Pretty exciting since those two technologies are pretty recent and fun to work with.

I’ll show in this post how to configure ADFS to work with UAG.

Begin by installing and configuring ADFS on a server in you LAN, I used my domain controller and installed the ADFS V2 package I found here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en

The integrated ADFS Role doesn’t work as well for some reason…

I’ll let you install and do the basic ADFS configuration on you own, it’s pretty simple and there are lots of resources on the net.here’s one that should help :

http://technet.microsoft.com/en-us/library/adfs2-how-to-setup-lab-environment-for-federated-collaboration-07(WS.10).aspx

Once the installation is complete you’ll have a federation service web address of the type https://adfs2_server/FederationMetadata/2007-06/federationmetadata.xml that you will need to use when configuring UAG.

In the ADFS 2.0 MMC go to the certificates folder and import the token encryption into the ADFS Server and the UAG’s local Certificate store.

.clip_image002

1- UAG Configuration:

Create a new Trunk

clip_image004

Choose to create a portal trunk and not an active directory federation service as you might be inclined to do. (The latter is for the old ADFS V1).

clip_image006

Set up the trunk as you usually do

clip_image008

When choosing the authentication repository

clip_image010

Select ADFS V2,

The URL of the federation metadata file will be the one you created when installing ADFS V2:

https://adfs2_server/FederationMetadata/2007-06/federationmetadata.xml

click Retrieve Metadata and select Name in as a claim value to be used as a lead value.

clip_image012

Complete the “create trunk wizard” and copy the federation metadata link displayed at the bottom of the page.

clip_image014

Finish and activate the configuration.

To make my configuration easier what I did was copy this file directly to the ADFS Server:

The file is called federationmetadata.xml and is in here:

“C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\extranet\FederationMetadata\2007-06”

2- ADFS configuration

Next step is to configure ADFS to allow active directory users to authenticate to the UAG portal.

In the ADFS V2 console, add a relying party trust:

clip_image016

In the select data source window, either paste the link you got form the UAG trunk creation wizard or point to the federation metadata file you copied to the server as I did below.

clip_image018

Proceed with the default remaining settings and finish.

Finally you need to configure the rule template you would like to apply to your trust.

Basically here you are telling you ADFS which value to get from your active directory users and to send to the UAG portal.

You select to send LDAP attributes as claims.

clip_image020

You choose active directory as your attribute store and select the attributes you would like to put in your outgoing claim.

clip_image022

Once you are done, the transparent authentication should work perfectly.

3- Troubleshooting:

ADFS troubleshooting is not straight forward, you will need to monitor you web traffic using a software such as fiddler or http watch and see what is being transmitted.

 

Published by Hicham Bardawil

This Blog

News

    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.

Syndication