ADFS 2.0 Protect your Federation Service : Add a recaptcha customization on your ADFS Proxy Web Form
Hi,
As you know, exposing a federation server proxy on the extranet will make the client logon Web form accessible by anyone with Internet access. This can potentially leave your organization vulnerable to some password-based attacks, such as dictionary or brute force attacks that can trigger account lockouts for those user accounts that are stored in the corporate Active Directory directory service.
A way to protect you corporate Active Directory is to add a second factor to the authentication. This can be costly. The case study of today is to add the ReCaptcha plugin into the AD FS Proxy Web Authentication Form in order to protect against robots that can try to attack your web form.
Very easy integration with ASP.net
- Download the ReCaptcha dll from and copy the dll into a bin/Release folder in the adfs/ls web site
- Open the ADFS Web Site with Visual Studio and add a reference to this new dll :
- Open the FormSignIn.aspx.cs file, and add the following line :
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
using System;
using Microsoft.IdentityServer.Web;
using Microsoft.IdentityServer.Web.UI;
using Recaptcha;
- Open the FormSingIn.aspx file, and add the following line :
<asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" ></asp:TextBox>
</td>
<td> </td>
</tr>
<tr><td colspan="3"> <script type="text/javascript" src="https://www.google.com/recaptcha/api/challenge?k=public key"> </script>
<noscript><iframe src="https://www.google.com/recaptcha/api/noscript?k=public key" height="300" width="500" frameborder="0"></iframe>
<br><textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
<input type="hidden" name="recaptcha_response_field" value="manual_challenge"></noscript></td></tr>
where your public key and your private key are the key that ReCaptcha provides during your signin.
With a little customization, your Web Form Page should know look like this one :
Now, we have to get the result of the challenge, and allow the authentication if it’s valid. To do that :
- Open the FormSignIn.aspx.cs file, and add the following line in the SubmitButton_Click procedure :
RecaptchaValidator validator = new RecaptchaValidator();
validator.PrivateKey = "your_private_key";
validator.RemoteIP = Request.UserHostAddress;
validator.Response = Request.Form["recaptcha_response_field"];
validator.Challenge = Request.Form["recaptcha_challenge_field"];
try {
RecaptchaResponse validationResult = validator.Validate();
if (validationResult.IsValid)
{
SignIn(UsernameTextBox.Text, PasswordTextBox.Text);
}
else
{
HandleError("Invalid Captcha. Please try again");
}
Published by Olivier DETILLEUX