Hi,

One of the recurrent question about ADFS 2.0 is how many Federation Server is needed in a cross domain or cross forest scenario.

The Active Directory Identity Provider is able to authenticate through Trust RelationShip. Cool ! But what kind of trust ?

Forest Scope and Trust Relationship Requirements

Based on my own test, here is an answer :

• In a forest, because all child domains are automatically trusted with bidirectionnal trust, only one federation service is necessary in the forest.
• When there are other forests, the minimum level of Trust Relationship is Bidirectionnal External Trust, as in the following schema

• External trust are not transitive. You can use Forest Trust and the transitivity to extend the scope of the Active Directory IdP
• If you have a selective Domain Or Forest Wide Authentication on your Trust Relationship, you have to a)dd the “Allow to authenticate” right to the trusted domain users

• The Name Suffix Routing allow you to restrict the access to the Trusting Forest. Check that the UPN of the remote users does not contain suffix that are disable. In the following example, the user jbono@uag.corp cannot authenticates :

• You can also block specific UPN with an ADFS Deny Rule :

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~ "^.*@gemalto\.corp$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

Published by Olivier DETILLEUX

Hi,

In a previous post, we have seen how we can provide client certificate authentication.

That was pretty simple, because we used an entreprise CA, an adfs server and a user account, all in the same domain.

An other challenge is to use Client Certificate provided by a Standalone Certification Authority (in an other forest or in a workgroup, and of course not integrated in the Active Directory).

The global architecture I wanted to test is the following :

Here is how I have achieved this scenario, with the troubleshooting method

First think to do is to request the StandAlone CA (named USER CA in my case) for an User Certificate. I have configured my StandAlone CA to authorize domain users to request user certificates. Automatically, with the User Template, I receive a Client Authentication Certificate.

• The CDP mentionned in the Certificate Properties must be accessible from the ADFS Server.
• The Subject must be a valid path in the Active Directory (in my case : (E = james.kirk@labtest.com,CN = James Kirk,OU = Users,OU = Corporation,DC = labiam,DC = corp) OR the subject alternative name must contain a Principal Name that is the UPN of the user (for example : Principal Name=jkirk@uag.labtest.corp). This is the User Mapping that IIS uses to find the user in the Active Directory. If that is not the case, you may encountered a “Logon failure: unknown user name or bad password”

Now, I have a Certificate. If I try to signin on my Federation Service, I receive a “403 - Forbidden: Access is denied.”

Not an ADFS error, but an IIS error. We can use the Failed Request Tracing logs to see what is happening. To enable Failed Request Tracing :

• Check that you have installed the IIS Tracing Module

• In the IIS Management Console, under the Default Web Site, click on the Failed request tracing and Enable

• You can now define your filter. In my case, my filter is concerning the 403 return code

If we look in the last Tracing log, we can see the following issue : Access Denied

I add the Certification Authority Certificate Chain in the Trusted Root Certification Authorities, and signin again. Now I have the following message :

Yes ! an ADFS error. Have a look on the ADFS Server Event Viewer. There are 2 events :

• Source : AD FS 2.0, Event ID 111, 364

The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'E=james.kirk@labtest.com, CN=James Kirk, OU=Users, OU=Corporation, DC=labiam, DC=corp' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

My Certificate is detected, but the authentication failed. After a quick search, I find that the thumbprint of the root CA Certificate must be located in the  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ EnterpriseCertificates\NTAuth\Certificates registry key.

The NTAuth Certificate Store are trusted to both issue authentication (logon) certificates for any user in the forest and enable logon for smart cards, Internet Information Services (IIS) mapping, and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).

Sounds good. First, I have to extract the public key of my Certification Authority. We can do that with the Certificate MMC, and export the certificate without the private key.

Then, use the CertUtil command to add the .cer into the NTAuth Certificate Store :

certutil -enterprise -addstore NTAuth <CertificationAuthorityKey.cer>

And that’s it, authentication is successfull and I can access to my Claims Aware App :

To summarize, what we need :

• A StandAlone Certification Authority that deliver Client Authentication Certificate with an alternative name containing the UPN of the user
• No needs to import the delivered certificate in User Object in Active Directory
• Add the Certification Authority Certificate Chain in the Trusted Root Certification Authority of your ADFS Server (and on the client computer)
• Add the public key of the root CA in the NTAuth Enterprise Store
• Publish the CRL

Published by Olivier DETILLEUX

Hi,

When you work with Active Directory, did you never had to translate an objectSID from a string to hexadecimal format or vice versa ? Now, there is a tool to do that : SIDTranslator.

With this tool, you can :

• Translate a SID from String to Hex or Hex to String (any kind of Hex : 01050000 … , 0x01 0x05 0x00 0x00 … , 01 05 00 00 …)
• Compare two SID, no matter the format.

You can download this tool here : SIDTranslator.zip. The password of the zip file is sidtranslator.

Published by Olivier DETILLEUX

Hi,

As you know, there are three “out of the box” Attribute Store in ADFS 2.0 :

• Active Directory
• SQL
• LDAP

But there is a limitation with the LDAP Attribute Store. As this Technet Article says (http://technet.microsoft.com/en-us/library/ff678034(v=ws.10).aspx) :

When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores, you must connect to an LDAP server that supports Windows Integrated authentication. The LDAP connection string must also be written in the format of an LDAP URL, as described in RFC 2255.

This is not the case for all LDAP server. Mostly, you connect with a simple bind, with a ldap user account that has the right to read. For this kind of ldap server, we have to build a custom attribute store. This is the purpose of my CodePlex Project, that I am happy to share with you.

You can find the project here : http://ldapattributestore.codeplex.com/

Feel free to test or to participate if you want. I am not a developer, so any improve in the code will be awesome

Published by Olivier DETILLEUX

Hi All,

This article is the second part of a series about Multiple Local Authentication Methods with ADFS 2.0. Here is the first part

This article is a brief synthesis of some great article :

• http://social.technet.microsoft.com/wiki/contents/articles/3286.aspx
• http://msdn.microsoft.com/en-us/library/ee895359.aspx
• http://msdn.microsoft.com/en-us/library/ee895365.aspx

Customization of the HomeRealmDiscovery page is a great solution to add custom behavior during passive authentication. For example, adding browser detection, subnet detection, and providing automatic redirect.

Enable the HomeRealmDiscovery

But to enable the HomeRealmDiscovery feature, ADFS must act as a pure relying party STS (RP-STS) (This is when AD FS 2.0 has configured claims providers, but all local authentication methods are disabled in the web.config file. AD FS 2.0 can only direct the user to authenticate with a trusted STS.) or as an Hybrid STS (This is when AD FS 2.0 has configured claims providers, and uses a local authentication method).

If you remember my use case, for the moment, my ADFS is acting as a pure IP-STS. If I want to enable HomeRealmDiscovery and local authentication, I have to transform my IP-STS to an hybrid STS. To do that, I have just created a “fake” claims provider trust.

Now, when I want to sign on my application, I can see this menu where Other is my “fake” claims provider trust :

If I select my Active Directory Identity Provider (adfs.labiam.net), I will be redirected to the default Local Authentication Handler (as seen in the first part).

First part of the customization is to rewrite this menu to show the list of Authentication Methods I want to use. The initialization of the list is done in the Page_init function :

protected void Page_Init( object sender, EventArgs e )
{

PassiveIdentityProvidersDropDownList.DataSource = base.ClaimsProviders;
PassiveIdentityProvidersDropDownList.DataBind();
}

The base.ClaimsProviders return the list of the enabled IdP in ADFS. We can modify this code to list the local authentication types :

protected void Page_Init( object sender, EventArgs e )
{

PassiveIdentityProvidersDropDownList.Items.Add("Integrated");
PassiveIdentityProvidersDropDownList.Items.Add("Certificate");

}

Now, when we click on the button, we must be redirected to the correct URL (see part 1). We can do that in the PassiveSignInButton_Click function.

protected void PassiveSignInButton_Click(object sender, EventArgs e)
{
    switch (PassiveIdentityProvidersDropDownList.SelectedItem.Value)
    {
        case "Integrated":
            Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/integrated/" + HttpContext.Current.Request.Url.Query);
            break;

        case "Certificate":
           Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/sslclient/" + HttpContext.Current.Request.Url.Query);
            break;

        default:
            break;
    }

}

Now, we have the following list :

Remember the last choice

During the redirection, some cookies are created. One of those cookies is the MSISIPSelectionPersistent. This cookie is the persistent cookie which is written to the file system on the client that shows who should be the identity provider (IDP) for this client. In my case, it is a problem, because if I am automatically redirected to my AD IdP, I will be prompted by the default Authentication Method (yes, again, see the part 1). We can disable this persistence in the web.config file : change <persistIdentityProviderInformation enabled="true" lifetimeInDays="90"/> into <persistIdentityProviderInformation enabled="false"/>

Ok, great, but now, the user should always choose an authentication method, each time he close his browser. We can create an other cookie, to keep in mind the selected authentication method.

switch (PassiveIdentityProvidersDropDownList.SelectedItem.Value)
{
    case "Integrated":
        Response.Cookies["MSISPAuthenticationMethod"].Value = "Integrated";
        Response.Cookies["MSISPAuthenticationMethod"].Path = "/adfs/ls";
        Response.Cookies["MSISPAuthenticationMethod"].Domain = HttpContext.Current.Request.Url.Host;
        Response.Cookies["MSISPAuthenticationMethod"].Expires = DateTime.Now.AddDays(8d);
        Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/integrated/" + HttpContext.Current.Request.Url.Query);
        break;

    case "Certificate":
        Response.Cookies["MSISPAuthenticationMethod"].Value = "Certificate";
        Response.Cookies["MSISPAuthenticationMethod"].Path = "/adfs/ls";
        Response.Cookies["MSISPAuthenticationMethod"].Domain = HttpContext.Current.Request.Url.Host;
        Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/sslclient/" + HttpContext.Current.Request.Url.Query);
        break;

    default:
        break;
}

Then we can add the detection of the cookie and automatically redirect the user to the previous authentication handler. In the Page_init, add the following code :

if (Request.Cookies["MSISPAuthenticationMethod"] != null)
{
    switch (Request.Cookies["MSISPAuthenticationMethod"].Value)
    {
        case "Integrated":
            Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/integrated/" + HttpContext.Current.Request.Url.Query);
            break;
        case "Certificate":
            Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/sslclient/" + HttpContext.Current.Request.Url.Query);
            break;
    }
}

Now, during the first logon, a cookie is created :

Mobile Device Detection

Now, I want to redirect automatically iPhone, iPad and Windows Phone to the sslclient authentication handler.

During the Page_init, I can add the following code :

if (HttpContext.Current.Request.UserAgent.Contains("iPhone") || HttpContext.Current.Request.UserAgent.Contains("Windows Phone") || HttpContext.Current.Request.UserAgent.Contains("iPad")  )
{
    Response.Redirect("https://" + HttpContext.Current.Request.Url.Host + "/adfs/ls/auth/sslclient/" + HttpContext.Current.Request.Url.Query);
}

Now, when I access my Claims Aware Application through my iPad (I have added 2 user certificates on my iPad to show how it is working) :

I choose the certificate of James Kirk, and I am automatically log on.

My web application prints the claims of my token. We can see that the value of the authenticationmethod is tlsclient

Published by Olivier DETILLEUX

Hi,

For one of my customer, I am deploying a federation service to provide transparent authentication on Web Application for employees.

ADFS is acting as a pure identity provider Security Token Service (IP-STS), in other words, there are no claims provider, except Active Directory account store in the domain where the service resides.

Users are authenticated on their domain joined computers, so we can use Integrated Authentication to provide transparent logon. But my customer wants to provide, for a specific population, a transparent logon from a mobile tablet, connected to the internal WiFi network of the company. Integrated authentication is in that case not a solution.

For that specific population (VIP of course), my customer has generated user certificate from the internal Certificate Authority. If we can provide a client certificate authentication when a mobile device requests an authentication, we could provide transparent login.

This article is the first part of a series that explain the entire solution, passing by Local Authentication Methods, HomeRealmDiscovery customization, Cookies …

Local authentication Methods

As you can read in this msdn article : http://msdn.microsoft.com/en-us/library/ee895365.aspx there are 4 local authentication methods when you request an authentication to ADFS 2.0 web site :

• Integrated
• Forms
• TlsClient
• Basic

By default, those 4 authentication handlers are activated. To specify what authentication methods you want to use, you have to change the order of the handler in the web.config file. For example, to force forms authentication, reorder the <localAuthenticationTypes> list to put the following line at the first place : <add name="Forms" page="FormsSignIn.aspx" />

When a web application is requesting a SAML token through passive federation, the application redirects the user to the ADFS sign in web site. The ADFS web site then validates the request and then, based on the AD FS 2.0 configuration and the request parameters, AD FS 2.0 invokes authentication handlers in the order in which they are specified in the web.config file in the Sign-In Pages.

From the application side, you can add a query string (with the wauth parameter) to the sign in request, to ask for a specific authentication methods :

But if no authentication parameter is added to the sign in request, the first authentication handler is chosen.

After the authentication method detection, user is redirected to the relevant sign-in url.

In my case, we cannot modify the application, so we cannot add the relevant wauth string. The idea is to make an url rewriting just before the authentication request.

In the next article, we will see how we can do that during the passive federation request by customizing the HomeRealmDiscovery page.

Next step : HomeRealmDiscovery Customization

Published by Olivier DETILLEUX

Hi All,

Today, a colleague of me asked me to help on a strange Lync Server issue.

The symptoms was :

• From the Lync Server Control Panel, he was unable to view the Lync Enabled Users
• He was unable to “lync enable” user
• The error message was “Insufficient access rights to perform the operation”

There are many articles and forum where you can find some help :

• Check the membership of the lync server computer account : OK
• Check the inherited permissions : OK
• Check that the target user is not member of an builtin admin group : OK
• Check ACLs in details : OK, using this technet article : http://technet.microsoft.com/en-us/library/gg398742.aspx

All Acls seems to be good. But this kind of issue is always a rights issue, so I decided to go deeper in those ACL.

First, to be sure that this is a right issue, I have enable Directory Access Failure Logon, and for a specific user, I have enable Fail Audit for all attributes and properties issued by the Lync Server Computer Account. You can do that in the Security Tab of an user account :

Then, I tried to “lync enable” the specific user account, and I found in the security logs of my Domain Controller, the following Failure Audit :

As you can see, it seems that my Lync Server doesn’t have the right to write 3 properties :

• msRTCSIP-PrimaryUserAddress
• msRTCSIP-UserEnabled
• msRTCSIP-PrimaryHomeServer

That was strange, because in my mind, I think that the Lync Schema/Forest/Domain preparation should create a delegation on those properties for the RTCUniversal-UserAdmins group.

In that technet article http://blogs.technet.com/b/jenstr/archive/2011/02/07/grant-cssetuppermission-and-grant-csoupermission.aspx I have found that the RTCPropertySet and the RTCUserSearchPropertySet should contain those attribute.

Had a look in the configuration partition, and found the 2 PropertySet in the Extended-Rights container :

Then I found that the 3 Lync Properties was not in a property set. So, I change 2 attributes on each schema attribute :

• attributesecurityGUID : rightsguid of the PropertySet
• isMeberOfPartialAttributeSet : true

After a schema refresh (right click on schema partition and Refresh Schema Now), the Lync Server Control Panel was working well.

Published by Olivier DETILLEUX

Hi all,

Here is how you can enable Client Certificate Authentication for Passive Authentication.

In my case, I have a Microsoft AD Certification Service deployed. User have a Personal Certificate (User Authentication) with a private in the user certificate personal store.

On the ADFS Server, open the web.config file in inetpub\adfs\ls and looks for the microsoft.identityserver.web section. Put the LocalAuthenticationTypes in the following order :

The <add name=”TlsClient” page=”auth/ssl/client/”/> must be the first authentication type.

In IIS, you can disable all the other authentication method, except Anonymous. So, non authenticated user that have a valid client certificate can access the passive federation service. This is for example very useful to authenticate users on a mobile device without to request the user credentials.

If you have a look at the claims value in the SAML token, you can check that the authentication method is tlsclient :

Published by Olivier DETILLEUX

Hi,

As you know, exposing a federation server proxy on the extranet will make the client logon Web form accessible by anyone with Internet access. This can potentially leave your organization vulnerable to some password-based attacks, such as dictionary or brute force attacks that can trigger account lockouts for those user accounts that are stored in the corporate Active Directory directory service.

A way to protect you corporate Active Directory is to add a second factor to the authentication. This can be costly. The case study of today is to add the ReCaptcha plugin into the AD FS Proxy Web Authentication Form in order to protect against robots that can try to attack your web form.

Very easy integration with ASP.net

• Download the ReCaptcha dll from and copy the dll into a bin/Release folder in the adfs/ls web site
• Open the ADFS Web Site with Visual Studio and add a reference to this new dll :

• Open the FormSignIn.aspx.cs file, and add the following line :

//------------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//------------------------------------------------------------

using System;

using Microsoft.IdentityServer.Web;
using Microsoft.IdentityServer.Web.UI;
using Recaptcha;

• Open the FormSingIn.aspx file, and add the following line :

<asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" ></asp:TextBox>           
    </td>
    <td>&nbsp;</td>
</tr>
<tr><td colspan="3"> <script type="text/javascript" src="https://www.google.com/recaptcha/api/challenge?k=public key"> </script>
<noscript><iframe src="https://www.google.com/recaptcha/api/noscript?k=public key" height="300" width="500" frameborder="0"></iframe>
<br><textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
<input type="hidden" name="recaptcha_response_field" value="manual_challenge"></noscript></td></tr>

where your public key and your private key are the key that ReCaptcha provides during your signin.

With a little customization, your Web Form Page should know look like this one :

Now, we have to get the result of the challenge, and allow the authentication if it’s valid. To do that :

• Open the FormSignIn.aspx.cs file, and add the following line in the SubmitButton_Click procedure :

RecaptchaValidator validator = new RecaptchaValidator();
        validator.PrivateKey = "your_private_key";
        validator.RemoteIP = Request.UserHostAddress;
        validator.Response = Request.Form["recaptcha_response_field"];
        validator.Challenge = Request.Form["recaptcha_challenge_field"];
   
        try {
            RecaptchaResponse validationResult = validator.Validate();
            if (validationResult.IsValid)
            {
                SignIn(UsernameTextBox.Text, PasswordTextBox.Text);
            }
            else
            {
                HandleError("Invalid Captcha. Please try again");
            }

Published by Olivier DETILLEUX

Hi All,

A quick post to promote the blog of one of my colleague. You can find very useful use case, code sample, and lot of thing about Federation Services and .Net.

Have a look at : NET, I'm lovin it ! It’s in French, but you can use the Microsoft Translator : http://www.microsofttranslator.com/bv.aspx?from=fr&to=en&a=http://sebastienollivier.fr/blog/

Published by Olivier DETILLEUX

Hi All,

Last year, I have deal with the Federation of Jive with AD FS. Not really difficult, but there are things you need to know.

Let assume that you already have an AD FS Server deployed.

Since jive 5.0.1 update, it is necessary to force end to end HTTPs encryption. The Jive documentation is available: Jive 5.0 but here are the principal steps :

• Get the public key (X509 certificate) of your public domain certificate and save the file as jive.crt
• Get the private key of your public domain certificate and save the file as jive.pfx
• Extract the private key of the .pfx file
• Import Jive Certificate into the SSL Keystore
• Enable SSL in /etc/jive/conf/jive-httpd
• Configure the connection scheme in /usr/local/jive/applications/sbs/conf/server.xml file
• Restart the Jive services
• Configure SSL in the /usr/local/jive/etc/httpd/sites/default.conf and restart the HTTPd service

After that, you can access your Jive Community Portal through HTTPs

Next Step, configure Jive to allow SAML authentication.

Open the People\Advanced configuration page, and provide the Federation Metadata URL of your ADFS Server.

If you want to provision user information automatically in Jive, you can add some claims type. For example :

Here is what it would look like

Next Step, the configuration on the AD FS Server side.

• Add a new Relyinig Party Trust, and provide the Jive Federation Metadata URL. This url should be something like that : https://yourdomain/saml/metadata
• Create Claims Rule to pass claims to Jive. The important claims to pass to Jive is the Name ID. Here is the custom rule I have write to send domain-user to Jive as the NameIdentifier.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${domain}-${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = http://schemas.xmlsoap.org/claims/CommonName);

• Here is the custom rule I have write to send all the expected claims value. Just a quick search in Active Directory.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department"), query = ";mail,sn,givenName,userPrincipalName, title, streetaddress, homephone, mobile, telephonenumber, co, department;{0}", param = c.Value);

And that’s it.

Troubleshooting

You can enable detailed log during authentication in Jive. This is in the Advanced Tab of SAML Authentication. If there is an issue during SAML authentication , you will see an error message like the following.

An error occured while attempting authentication through single sign on
The error could be related to a misconfiguration from the Jive end or from the user authority. Debug information is available below:
- Checking child metadata provider for entity descriptor with entity ID: https://community.yourdomain.net
[…]
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>NAJSc1UvIaVG3nm1LJSLmCEEJbw=</ds:DigestValue>
            </ds:Reference>
[…]
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID Format="http://schemas.xmlsoap.org/claims/CommonName">EMEA-TMP-malikah.kelly</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="a485g08eaicifhd325c7c2bdf64j43g" NotOnOrAfter="2011-12-13T14:05:42.672Z" Recipient="https://community.yourdomain.net/saml/sso"/>
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2011-12-13T13:58:42.667Z" NotOnOrAfter="2011-12-13T14:58:42.667Z">
         <AudienceRestriction>
            <Audience>https://community.yourdomain.net</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
        <Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer=http://emea.yourdomain.net/adfs/services/trust>
[…]
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Successfully validated untrusted credential against trusted key
- Successfully established trust of KeyInfo-derived credential
- Authentication statement is too old to be used
- There was an error during SAML authentication
org.springframework.security.authentication.CredentialsExpiredException: Users authentication data is too old
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:402)
        at […]
        at java.lang.Thread.run(Thread.java:662)

Common issue I have deal with :

• Users authentication data is too old : Check that time is well sync between Jive and AD FS. If you are experiencing this issue a lot of time, try to update the NotBeforeSkew
• Some claims value expected are empty : check that in your Active Directory, all required attributes are not empty

Published by Olivier DETILLEUX

Hi All,

Long time I haven’t published an article in my blog. Sorry for that, but since the beginning of September, I am an happy Dad, and it is consuming a lot of time

First of all, I want to wish all of you an Happy New Year !

This year, I will focus on Cloud Security, and Identity Management in the Cloud. I have already started that with some articles about Federation Services. We will go deeper in that, and that will be very exciting.

Published by Olivier DETILLEUX

Bonjour à tous,

Cette année encore, j’aurai le plaisir de coanimer une session aux TechDays 2012 avec Nicolas Lieutenant.

Soyez au cœur de l’innovation

Véritable plateforme de rencontres et d’échanges autour des solutions informatiques professionnelles, les Microsoft TechDays rassemblent chaque année 17 000 visiteurs autour de 300 conférences, 3 plénières et 140 exposants sur 5 500 m².

L'objectif de notre session est de présenter les briques de sécurité qui peuvent être mises en oeuvre pour sécuriser votre messagerie Microsoft Exchange Online. A travers une présentation de la Messagerie Online d'Office 365, nous aborderons les sujets suivants : - Mise en oeuvre et sécurisation de la fédération d'identité avec AD FS 2.0 Update 1 - Protection de vos échanges et de vos documents avec S/MIME et AD RMS - Mise en oeuvre de l'authentification forte avec SA Server de Gemalto et le proxy ADFS.

Publié par Olivier DETILLEUX

Au redémarrage du serveur TMG, on constate un temps important (environ 16 minutes) avant que TMG ne soit pleinement opérationnel.

Au sein de l’observateur d’évènements (Windows Logs –> System), on remarque cette erreur :

L’erreur a l’Event ID : 7022

Cette erreur est du à une mauvaise dépendances du démarrage des services entre eux, qui amène alors un timeout de 16 minutes avant que le serveur ne soit opérationnel.

Ce problème peut être résolu via les actions suivantes :

1. Au sein du registre, naviguez vers HKLM\CurrentControlSet\Services\HTTP créer une nouvelle Multi-string value que vous nommerez DependOnService et qui aura comme valeur CRYPTSVC 
2. Au sein d’un cmd ouvert avec les privilèges administrateur :

sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso

Rebooter ensuite le serveur et tout devrait rentrer dans l’ordre

Publié par Yann GRAINDORGE

Bonjour, ceci est mon premier article sur ce blog, donc tout d’abord voici quelques mots pour me présenter. Je m’appelle Yann Graindorge, j’ai intégrer la société vNext depuis mai dernier au sein de l’équipe IAM (Identity and Access Management), je serais donc amener à publier sur ce blog.

Suite à de nombreuses installations de TMG et d’UAG, j’ai souvent eut à faire à cette erreur avec TMG, lors du lancement de la console TMG une erreur de script apparait et il devient impossible de se servir de la console:

Il m’a donc semblé bon de partager la façon de résoudre ce soucis qui s’avère très bloquant.

Ce bug est en réalité dû à la présence simultanée sur le serveur de TMG est d’Internet Explorer 9.

Pour Résoudre ce problème il existe 3 façons de procéder différentes :

• Désinstaller IE9

Pour désinstaller proprement IE de votre serveur il faut suivre la procédure suivante :

http://support.microsoft.com/kb/957700/en-us#stepsforwin2008r2

Dans certain cas ceci ne suffit pas à rétablir la situation, je conseille donc d’utiliser plutôt les 2 façons suivantes.

• Editer le fichier de configuration de TMG “TabsHandler.htc”

Ouvrir le fichier suivant "C:\Program Files\Microsoft Forefront Threat Management Gateway\UI_HTMLs\TabsHandler\TabsHandler.htc" avec un éditeur de texte quelconque.
Rechercher toutes les lignes comprenant l’expression "paddingTop", il doit normalement en avoir 3.
Commentez ces 3 lignes en ajoutant “//” au début de chaque ligne, comme montré ci-dessous:

Sauvegardez les modifications et tentez à nouveau de relancer TMG, l’erreur doit avoir disparue:

• Passer les mises à jour TMG

Si vous installez la version RTM de TMG vous devrez être en version 7.0.7734.100

Il faut premièrement passer le SP1 de TMG, disponible ici:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16734

TMG passera alors en version 7.0.8108.200

Il faut ensuite passer l’Update 1 du SP1 de TMG, disponible ici:
http://www.microsoft.com/download/en/details.aspx?id=11445

TMG passera alors en version 7.0.9027.400

Il faut enfin passer le SP2 de TMG, disponible ici:
http://www.microsoft.com/download/en/details.aspx?id=27603

TMG passera alors en version 7.0.9193.500

Tentez de rouvrir la console TMG, celle-ci devrait alors se lancer sans soucis:

Publié par Yann Graindorge