Brian Puhl's Weblog : ADFS

Identity and Access Webcast Series

bpuhl — Tue, 31 Oct 2006 08:09:00 GMT

Here's some info on some upcoming webcasts... This first series is for the "Technical Decision Makers", but I'll post the "IT Pro" series when they get announced.

-Brian

--------------

Microsoft offers a broad range of technologies and products to enable a customer’s identity and access infrastructure. This web-cast and virtual lab series is designed to educate Technical Decision Makers (TDMs), and IT Professionals about Microsoft’s IDA solution areas centered around the following products:

Windows Rights Management Services (RMS)
Active Directory Federation Services (ADFS)
Microsoft Identity Integration Server MIIS)
Certificate Lifecycle Manger (CLM)
Active Directory (AD)

These webcasts are structured under different categories. The categories take attendees from Product/Solutions Overview, what the product is and how it can help the customer’s infrastructure, to Deployment, and through the different categories to, “What is New for the Future”.

Our kickoff webcast by Peter Houston, and Product/Solution Overview webcasts are for the Technical Decision Makers, while the following webcasts categories will be for IT Professionals.

Join our webcast series to help plan for the future, deploy new solutions, manage and optimize your existing IT infrastructure

As Technical Decisions Makers you should attend (a) our kickoff webcast IDA Vision and Strategy, and (b) Product Overview webcasts segment, to see how our IDA products can be improve cost, increase protection for your IT infrastructure Then encourage your IT Professionals to attend our following webcasts on deeper IT content.

We will be announcing more upcoming webcasts for IT Professionals very soon.

First IDA Webcasts:

(a) IDA Vision Webcast

Title: Microsoft Identity and Access (IDA) Vision and Strategy

Description: Identity and access in connected systems has gone beyond a technical concern and become a top business issue as organizations look to reduce security risk, decrease operational costs, satisfy regulatory requirements, and deepen their electronic relationships with customers and partners. In this session, learn about Microsoft's vision for identity and access technology, including the evolution of Active Directory (AD), Microsoft Identity Integration Server (MIIS), 'CardSpace', and Certificate Lifecycle Manager (CLM). You will also gain insight into Microsoft's vision for IDA in the future.

Presenter: Peter Houston

Date/Time: 11/10/2006, 10:00Am - 11:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032315361&Culture=en-US

(b) Product Overview Webcasts:

Title: Information Protection with Windows Rights Management Services (RMS)

Description: Protecting confidential information and intellectual property, such as e-mail and documents, is critical to the success of many organizations…

Presenter: Tim Upton

Date/Time: 11/16/2006, 1:00 PM – 2:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313768&Culture=en-US

Title: Introduction to Microsoft Certificate Lifecycle Manager

Description: Join this webcast to learn about the new Microsoft Certificate Lifecycle Manager (CLM)…

Presenter: Amesh Mansukhani

Date/Time: 11/20/2006, 1:00 PM – 2:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313484&Culture=en-US

Title: Web Single Sign-On and Identity Federation with Active Directory Federation Services

Description: As organizations extend their information technology (IT) infrastructures to provide partners with access to Web-based applications, they face difficult administrative and security challenges…

Presenter: Howard Ting

Date/Time: 11/27/2006, 11:00 AM – 12:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313783&Culture=en-US

Title: Identity Life-Cycle Management with Microsoft Identity Integration Server 2003

Description: Join this webcast to see how Microsoft Identity Integration Server (MIIS) 2003 enables the automation of identity life-cycle management in the enterprise…

Presenter: Lori Craw

Date/Time: 11/29/2006, 11:00 AM – 12:00PM Pacific Time

Click here to Register: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032313486&Culture=en-US

Regards,

ADFS Documentation

bpuhl — Sat, 21 Oct 2006 00:51:09 GMT

Wouldn't it be cool if there was a blog where someone was posting documentation about ADFS?

Well looky here - apparently this has been around for a while, but since I just recently discovered it I thought I'd share...

http://blogs.technet.com/adfs_documentation/

ADFS and Liability Continued...

bpuhl — Tue, 03 Oct 2006 08:41:00 GMT

hmm...let's see...I wrote a blog, Pam left a comment, I replied to her comment with another blog, and so (if you haven't seen it yet) Pam posted her own blog entry here... This is actually kind of fun!

You should read (all of) her posts anyways, but to save some screen flipping here's the meat of it:

...When I read this, I felt like jumping up and down like the goody-two-shoes in the second row, me me me me oh I know the answer pick me!!!

If they were to use an Information Card for the active confirmation prior to a user making changes, users wouldn’t need to remember a password at all. You would get the impediment of requiring credentials, without the support burden attached to maintenance of a rarely-used password. Alternatively, if you felt the need to have a password, you could require a managed information card. In that case, the user would be authenticating to the home IdP instead of to the outside application, taking the password management burden off of your partner and consolidating password use to a single centralized source that would theoretically be much more commonly used, and therefore less likely to require frequent recovery. Not to mention that the Enterprise could audit use of the managed infocard in this context.

This seems to me to be a perfect scenario to envision a hybrid passive/active federation combination instead of passive federation for 85% of user activity, and partner-managed password authentication for the remaining 15%. Yes? If so, it just goes to show that the scenarios are out there, and for more than just the eBusiness world.

Brian, what do you think?

So...let's see...What do I think?

I don't think the problem is in the way that the credentials are stored. Let's suppose it's an InfoCard from some Identity Provider, then the liability would then fall on that Identity Provider if/when a users account gets compromised. Why would someone sign up for that? In the case that we're dealing with internally, Microsoft is the Identity Provider, and our lawyers don't want to sign up for the risk - why would anyone else?

Thinking about this slightly differently – Our lawyers have the problem, because if someone hijacks my corporate user account, and goes into my 401k and wipes out my retirement savings – who is ultimately responsible? If Microsoft did the authentication, Microsoft is, if the partner did it, they are, and if some 3rd party identity provider did the authentication – then THEY are responsible (would we even consider a 3rd party - umm...let's hope not)

So let’s say we use an infocard. And not only that, but we use a Managed infocard. Ok, so now I’ve got a managed card on my machine – So when someone hacks my account, selects the highlighted infocard, and THEN wipes out my 401k… Now who’s responsible?

I can absolutely see where an InfoCard can help the end user - but I'm the IT Geek who's trying to deploy the infrastructure. How do I sell being an Identity Provider to my CIO?

Comment on ADFS Liability

bpuhl — Thu, 21 Sep 2006 08:23:00 GMT

My favorite Calgary-ian Pam left the following comment on my last blog post:

Hm. In a perfect world, there would need to be a contractual component to any and all technical federations, and those contractual components should go through review by the privacy officer, and also by the admin team.

Companies and admin groups need to get religion over the process involved with creation of federations, if for no other reason than to protect themselves from liability.

Here is more about liability and federation: http://www.rsasecurity.com/go/siliconcom/liability.asp

Cheers,

Pam

I am SOOOO glad she did too, because liability is one of the hardest problems to deal with when deploying ADFS, and something that I've personally been harping about to our internal deployment team as we develop our onboarding process for new federations. In fact, one of the topics that I've been presenting at various TechEd's and the upcoming ITForum lately, is "How Microsoft IT Deployed Active Directory Federation Services". In that talk, I've dedicated an entire slide, to just some of the impacts that liability can have, whether your providing the user authentication or the resources. In fact, one of the comments that I make during my talk, is:

I've been involved with Microsoft's Active Directory for 5 years, and never had any reason. But I was tasked with deploying AD Federation Services, and within a week of the project starting up, I had met with some attorneys in our Legal and Corporate Affairs group.

A great example of technology vs. liability is the ongoing discussion that we're having with one of our business partners, about providing federated access to their internet portal. This partner though, happens to be one of the providers of financial services to Microsoft employee's. From the partners perspective, the idea of federation is wonderful...they see it increasing their security, reducing their risk (since they still allow SSN's as user names), and reducing the amount of overhead they have for constantly resetting users passwords. In fact, one of their architects commented that there were nearly as many users who require a password reset EVERY TIME a user attempted a login, as there were who didn't.

Enter the Microsoft attorneys...

They looked at the technology, and got a pretty quick understanding of the risks, limitations, and potential uses for ADFS. They just as quickly built the following scenario

So Joe User's password gets compromised. Not only can someone use it to gain access to some set of corporate resources, but now they can also go in and mess around with his retirement portfolio? And they would do this, because during the logon attempt, "Microsoft" verified that the user was actually Joe? Ummmm....No.

This is basically the story of how Microsoft has ended up asking some of their higher impact business partners, to create a 2-tiered authentication model. In this case, a user can log in using ADFS authentication to view their information...but as soon as they want to make a change to their information, they'll need to enter their application specific credentials.

According to the partner, approximately 85% of all logons are just to view the data anyways, so it's still a win...but it also virtually guarantee's that when a user does want to make a trade, they'll need to reset the password because now they DEFINITELY are not going to remember what it is.

So what does all this mean - it means that I agree 100% with Pam's comment, that IT people are going to have to get religion over the process of creating federations, and the impact that it has to their business.

ADFS and Domain Admins (or anyone else for that matter)

bpuhl — Mon, 18 Sep 2006 11:18:00 GMT

I spend a lot of time answering questions or making comments in e-mails that would make good blog posts. So it may seem a bit cheesy (at least it does to me), but it's turning out that reposting these e-mails seems like an easy way to do this...so here's another one...hope you don't mind (again, some edits to protect the innocent)...(and fix typo's)...

________________________________________
From: Brian Puhl
Sent: Monday, September 18, 2006 1:18 AM
To: ADFS Discussion
Subject: RE: Domain Admin and ADFS

More generically – it’s a good thing to remember that anyone who can join an machine to a domain, can install ADFS and create federations.

We had several conversations with the ADFS team during R2 dogfooding about this – to summarize weeks of discussions into a couple of bullet points:

Generally speaking, “IT” controls the network perimeter – So the ‘threat’ of setting up an incoming federation to allow 3rd party access to your network would require someone who was deploying ADFS to also be able to deploy applications to the internet

Anyone could configure ADFS, and work with a partner to configure an outbound federation, enabling all users in the directory (and trust realm) to ADFS authenticate to an application. The primary concern here was data disclosure, but the only data they could disclose are things that are already readable by the user in the directory anyways, so there were a lot easier ways to disclose this info if that was the goal.

From the MS IT perspective, our largest concern was actually the support impact. For example, you go to a website one day, and it just suddenly “logs you in”, because someone internally joined an R2 machine to the domain, and worked with the application owner to set up the federation. This is all goodness, until the day that the federation breaks – Because the users will call the help desk (approx $50 per call), and it is extremely difficult to track down where the federation server is, who owns it, how it’s configured, why it broke, etc… All of this takes administrator time and effort ($$$), for what is essentially a user impacting rogue application.

The ADFS Product Group has a DCR <Design Change Request> to give us more control over rogue ADFS instances in LH Server. I don't know the status, but they understand the problem of needing to answer the question "Who do we have federations with."

Brian Puhl
Microsoft IT

--------------------------------------------------------------------------------

From: T
Sent: Monday, September 18, 2006 12:36 AM
To: ADFS Discussion
Subject: RE: Domain Admin and ADFS

No, as domain admins can do whatever they want to in their domain

--------------------------------------------------------------------------------

From: M
Sent: 15 września 2006 19:32
To: ADFS Discussion
Subject: Domain Admin and ADFS

QUESTION:

<My customer with multiple domains> are going to upgrade their servers to R2 and they want to know if there is any way to prevent Domain Admins of installing and configuring ADFS

Any comment/suggestion will be greatly appreciated

Best regards,
M

ADFS Certificate Maintenance - v1

bpuhl — Thu, 25 May 2006 03:41:00 GMT

Over the past several weeks, we've celebrated the 1 year anniversary of our ADFS deployment. I say it this way, because the only reason I know this, is that the certificates on the servers keep expiring, and things would break unexpectedly. Yeah, yeah, yeah...I could have, would have, and SHOULD have been a bit more proactive about this, but our use of ADFS internally is somewhat limited until this summer (aka - fiscal year and budgets) when we're going to start onboarding a lot of new ADFS based services for our users.

So, I wanted to get an idea of where I needed to update the certs. Since we use a common cert for both the ADFS trust policy signing certificate, as well as the IIS SSL cert, I needed to make sure I replaced them both. We also use an FS Proxy on the internet, against SSL and policy signing cert required here. This all made sense to me, so off I go:

Change the SSL cert in the IIS console of the FS
Change the SSL cert in the IIS console of the FS-P
Change the token signing cert on the FS using the ADFS MMC
Change the token signing cert on the FS-P using the ADFS MMC

(note: pet peeve of mine, which I'll probably rant about again... but we can't remotely administer the ADFS servers using the MMC. You have to TS onto the box, or write your own scripts to do things remotely.... grrrrrr... yes, the product group knows, yes I remind them every chance I get...unfortunately no, it didn't make it into R2.)

Ok, so at this point, I'm thinking to myself, "cool, this annual maintenance is done." Probably took 7 full minutes before my phone rang that EVERYTHING was broken. Seems that I forgot that a year ago when we set this up, I had to send a copy of the token signing cert to the federation partners. Their FS-R's need to be able to validate the cert. Ok, drop that in e-mail, follow-up with a phone call...everything's working from internal now (ie. users connecting directly to the FS server). RDP'd back to my home computer, so I could get a view of this thing from the internet though and it's still failing.

Perusing the event logs on the FS-P (which look like a Christmas tree...if Christmas colors were red and yellow) I find:

The Federation Service Proxy encountered an exception when it called a Federation Service Web method.
Federation Server URL: https://corp.sts.microsoft.com/adfs/fs/FederationServerService.asmx
Web method: GetProxyTrustConfiguration
Proxy certificate thumbprint:
<snipped by brian>

This may cause a user request to fail.

User Action
The exception details may give an indication of the precise problem.

Check network connectivity between the Federation Service Proxy and the Federation Service.

Ensure that the Federation Service is running.

Ensure that the Federation Service Proxy client authentication certificate has been added to the list of proxy authentication certificates in the Federation Service trust policy.

Ensure that the Federation Service Proxy client authentication certificate chains to a root that is trusted by the Federation Service.

Ensure that the Federation Service Internet Information Services (IIS) Secure Sockets Layer (SSL) server certificate chains to a root that is trusted by the Federation Service Proxy.

Ensure that the Federation Service Uniform Resource Locator (URL) that is configured in the Federation Service Proxy web.config uses the name that is the subject of the Federation Service IIS SSL server certificate.

Additional Data
Exception details:
System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Web.Security.SingleSignOn.FederationServerService.MethodInvocationCheck(MethodAuthenticationLevel DesiredAuthentication)
   at System.Web.Security.SingleSignOn.FederationServerService.GetProxyTrustConfiguration(VersionInformation proxyVersion, VersionInformation& fsVersion, ProxyInformation& proxyInformation, TrustConfigurationData[]& trustConfig)
   --- End of inner exception stack trace ---
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at System.Web.Security.SingleSignOn.FederationServerSoapProxy.GetProxyTrustConfiguration(VersionInformation proxyVersion, VersionInformation& fsVersion, ProxyInformation& proxyInformation, TrustConfigurationData[]& trustConfig)
   at System.Web.Security.SingleSignOn.LSPersistentState.GetPolicy(VersionInformation& fsVersion, ProxyInformation& proxyInformation, TrustConfigurationData[]& data)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I've bolded the important part above. When I zipped right back to the FS server where I found the following event:

Description:
The Federation Service failed a privileged Web method call because the caller's client authentication certificate is not configured as a Federation Service Proxy certificate.
Certificate thumbprint: <snipped by Brian>

User Action
Ensure that the trust policy is properly configured with all valid Federation Service Proxy certificates.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Back to the ADFS snap-in, and in the trust policy there is an FSP Certificates tab. Added the token signing cert here as well so everything matched, and voila! auth started working again.

There were a couple of reasons I wanted to jot this down:

As the ADFS service scales, managing the certificates is going to become significantly more important and require a lot of advanced planning. While I'm a HUGE fan of documenting and testing operational processes, etc... The fact that this will require coordination between the FS-A and the FS-R provider, and that this once-a-year function requires so many touch points, is just scary.
I wanted to point out the quality of the events that are being logged by the service. The ADFS team put a lot of thought into getting the "right" information into the logs, so an administrator can quickly figure out what's going on with the service. There is still granular debug logging available, but you shouldn't really need to use it that often. IMHO, too many admins are jaded against the event logs anyways (rightfully so?), but I still believe that if eventvwr isn't your first stop, then you're probably not doing your job right. For federation services, this is definitely the case. ADFS Product Team - THANK YOU.