Posts tagged ADFS

Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 3

March 14, 2014 4 Comments Written by Marc van Eijk

In the previous part of this blog series Windows Azure Pack was configured to use ADFS for authentication for the Tenant Site and the Admin Site. We have done numerous implementations of Windows Azure Pack where ADFS was part of the design. In the first production deployments we struggled with setting the correct claim values for Co-Admins on subscriptions and admin access for the Admin Site based on groups, like the issue described at the and of the previous part of this blog series. Since then we have learned (or at least we tried) and there are a couple of ways that you can use to gain some insight into the actual issued claims by ADFS. Now please understand me correctly, there will probably be more ways to do the same. I just collected the procedures that we stumbled upon during the troubleshooting moments. We have used the following functionalities to look at issued claims.

  • ADFS Auditing
  • Get-AdfsToken
  • WIF SDK Claim App

There are probably more or better ways to look at the claims issued by ADFS. If you know any, please don’t hesitate to add them to the comments at the end of this blog post.

ADFS Auditing

Active Directory Federation Service provides a built in functionality to log success and failure audits in the event log of the ADFS server. The success audits contain the actual claims provided by ADFS. Besides enabling this functionality in ADFS, auditing rights must also be enabled for the ADFS service account on the server running ADFS.

The first step is to enable auditing rights for the ADFS service account on the server running ADFS. You can configure this with a local policy or a group policy. Open the local or domain policy that will apply to your ADFS server and browse to the Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment entry.

01 GPO

Open the Generate security audits setting and add the domain service account used in the ADFS configuration wizard in part one of this blog series (domain\SVC_ADFS). Update the policy settings on the ADFS server by running the following command

gpupdate /force

Enable auditing on the ADFS server by running the following command

auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

Open the ADFS management console. Right-click the root of the entries and select Edit Federation Service Properties.

02 Federation Service

Select the events tab and enable the Success audits checkmark.

Read More »

Marc van Eijk
, , , ,

Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 2

February 26, 2014 6 Comments Written by Marc van Eijk

In the previous part of this blog series we installed Windows Azure Pack and Active Directory Federation Services. In this blog we will configure the WAP Admin Portal and the WAP Tenant Portal to use ADFS for authentication. The configuration steps for both sites are very similar with some exceptions. The following steps will be performed.

  • Change the WAP site bindings in IIS
  • Update the WAP database with the new IIS bindings
  • Configure the WAP database to use ADFS
  • Create a relying party in ADFS
  • Create claim rules in ADFS
  • Enable JWT for relying party in ADFS

After completing these steps, every user that successfully authenticates to ADFS can access the WAP tenant site. To prevent a random user from accessing the WAP admin site, an additional step must be performed to enable access for admins.

  • Configure authenticated users for the admin site

Windows Azure Pack accepts User Principal Name (UPN) claims and Group claims. A tenant requires a UPN claim to logon to Windows Azure Pack. When a tenant subscribes to a plan the UPN is made owner of the subscription. A UPN is required as owner for a subscription. The Group claim is optional and can be used to specify Co-Admins for an existing subscription. A common design is to designate an owner of the subscription that is responsible (for example a department head) and add a group claim as co-admins for the subscription (for example a group containing all the departments users). A couple of tests with group claims pointed out that Domain Local Groups will not work (even if you manage to pass them as claims with some custom claim rules) and that Windows Azure Pack will not accept a space in the Group when configuring Co-Admins for a subscription.

01 CoAdmins req

Two components of ADFS are important in relation to Windows Azure Pack. The Claims Provider and the Relying Party. A Claims Provider authenticates a user, create the claims for that user and configures the claims into security tokens that the relying party uses to make authorization decisions. A Relying Party consumes claims in a particular transaction. Claims that originate from a claims provider can be presented and consumed by the relying party. A default installation of ADFS configures a Claims Provider trust to Active Directory. This default Claims Provider trust has a predefined set of Claims, which contains the UPN claim, but does not contain the Group claim.

It is possible to add additional claims at the Claims Provider level or at the Relying party level. If you add additional claims at the Claims Provider level, these claims are available to all relying parties and can also be used for authorization and transformation in a relying party configuration. If you add additional claims at the Relying Party level, these claims will only be available to that particular Relying Party.

Read More »

Marc van Eijk
, , , , , , ,

Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 1

January 20, 2014 8 Comments Written by Marc van Eijk

 

ADFS Series
Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 1
Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 2
Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 3

The last couple of weeks I have been testing a lot of federation scenarios for Windows Azure Pack. Out of the box Windows Azure Pack provides two authentication sites. A Windows Authentication site for the administration portal and a Tenant Authentication site based on a ASP.NET Membership provider for the tenant management portal. It is also possible to use Active Directory Federations Services (ADFS) for authentication with Windows Azure Pack.

Active Directory Federation Services

This opens the door to numerous interesting scenarios. I have tested Windows Azure Pack scenarios with the default ADFS Active Directory claims, federation to partner organizations, federation to Windows Azure ACS (that Shriram Natarajan also posted in an excellent blog a couple of days ago) and integrate ADFS with Windows Azure Multi-Factor Authentication.

Multi-Factor Authentication

If you ask an average person what password policy he or she is using for the online services they access the answer is quite scary. A single password for different entities. How many have been victim of phishing, identity theft  or know someone who has been. And if we look at an average business and their security policies, well… it’s a mess usually. Unless you are disciplined with complex passwords, a simple username password does not cut it any more. Multi-factor Authentication can address these security issues by adding an additional layer of authentication. Besides the username and the password it is possible to validate the user by a phone call, a text message, a validation app, etc. In the past these functionalities where quite complex to implement, let alone integrate in to existing applications. Microsoft announced General Availability of Windows Azure Multi-Factor Authentication in September 2013. This service in Windows Azure Active Directory takes away the pain of setting up Multi-Factor Authentication yourself and allows for easy integration with existing applications by integrating on premises ADFS servers.

mfa

In this blog I’ll describes the steps to configure the tenant site in Windows Azure Pack to use ADFS for authentication and also add Multi-Factor Authentication by leveraging Windows Azure.

First lets have a look at the end result. A tenant opens the Windows Azure Pack tenant portal and is redirected to the ADFS, or even better the Web Application Proxy (Yep, WAP to WAP). The tenant enters his active directory credentials and is prompted to proceed with Multi-Factor Authentication. After proceeding the tenants is called within a couple of  seconds on his mobile (you can configure other options as well). When asked, the tenant presses # in the call and he is instantly logged in to Windows Azure Pack. No matter if you show this to an IT pro, a customer or your boss, it will bring a smile to their face. Guaranteed!

Prerequisites

Before we start clicking away we need to get some insight in the moving parts and the corresponding prerequisites.

Read More »

Marc van Eijk
, , , , , ,

Powered by