ADFS Authentication Workflow

In this article we take a look at the Active Directory Federation Services (ADFS) Authentication Workflow that occurs when a client attempts to access a third-party federated web service.

The following diagram depicts the authentication workflow for ADFS when accessing third-party federated web services (applications).

CN_ADFS-Authentication-Workflow

Walking through the above diagram step-by-step:

  1. The user (client) accesses the web URL for the Fabrikam Web Server using their client web browser. The client doesn’t have an authentication token and must be federated to access this application.
  2. The website issues a HTTP redirect to the user’s web browser, directing them to visit the Fabrikam federation services URL.
  3. The user’s browser accesses the Fabrikam Federation Service.
  4. The Fabrikam federation service attempts to resolve the URL for Contoso Identity Provider (IDP) and issues an HTTP redirect to the user’s browser.
  5. The user’s browser accesses the Contoso ADFS server.
  6. The user initialises authentication with the Contoso ADFS server and is issued with a token signed by the ADFS server’s Token Signing Certificate. The ADFS service issues a HTTP redirect to the user’s browser, directing them back to the Fabrikam ADFS service.
  7. The user’s browser presents the token to the Fabrikam Federation service.
  8. The Fabrikam Federation service validates the token and issues the user with a new token which is valid for Fabrikam web service. The ADFS service issues a HTTP redirect to the Fabrikam web server.
  9. The user accesses the Fabrikam Web Server and presents the token which was issued by the Fabrikam ADFS service. The web server validates the token and authorises the user to access the application.

Closing

In this article we looked at the workflow process that occurs each time a user attempts to access an ADFS federated web service.

 

ADFS: WIA Supported User Agents

One of my customers had issues with SSO not working as expected. Upon investigation I found that this was because additional configuration was required in order to enable the SSO capabilities and support for Microsoft Edge and Mozilla Firefox web browsers. The following process enables you to modify the WIA Supported User Agents in ADFS which will enable SSO for various web browsers.

1. First we check the current configuration of the WIASupportedUserAgents properties using Get-ADFSProperties cmdlet as shown below:

1
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

The following output was recorded for the existing configuration of WIASupportedUserAgents properties.

MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge

2. Next we need to add support for Mozilla Firefox web browsers using the Set-ADFSProperties cmdlet as shown below:

1
Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Mozilla/5.0')

3. Finally, add the configuration to support SSO for the Microsoft Edge web browsers using the Set-ADFSProperties cmdlet:

1
2
3
4
5
Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Edge/12')
Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Edge/13')
Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Edge/14')
Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Edge/15')
Set-ADFSProperties -WIASupportedUserAgents (((Get-ADFSProperties).WIASupportedUserAgents)+'Edge/16')

4. After applying the above changes, restart the ADFS Service on all ADFS Servers using:

1
Restart-Service adfssrv

5. After the services have been restarted, check that the configuration has applied successfully and test that the ADFS IDP Initiated Sign-on is fully operational.

1
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

The following output was recorded for the configuration post-changes.

MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge
Mozilla/5.0
Edge/12
Edge/13
Edge/14
Edge/15
Edge/16

From the above, we can note that support for the additional browsers has been added to the configuration as expected.

ADFS: Enable Sensible Logging

To enable sensible logging, perform the following steps.

1
AuditPol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

ADFS: Enable End-User Password Change Functionality

To enable the capability for users to be able to change their passwords via ADFS login page, the following command will enable the functionality.

1
2
3
Enable-ADFSEndPoint –TargetAddressPath “/adfs/portal/updatepassword/”
Set-ADFSEndPoint “/adfs/portal/updatepassword/” –Proxy:$true
Restart-Service ADFSSrv -Force

ADFS: Increase the Validity of ADFS Generated Certificates

To increase the validity period for ADFS Self-Generated Certificates for the Token-Signing and Token-Decrypting certificates, execute the command below to set them to three years.

1
2
Set-ADFSProperties –CertificateDuration 1095
Update-ADFSCertificate -Urgent

ADFS: Enable Automatic Certificate Rollover

To enable Automatic Certificate Rollover feature for  ADFS Token-Signing and Token-Decrypting certificates execute the following powershell command.

1
2
Set-ADFSProperties –AutoCertificateRollover $true
Update-ADFSCertificate -Urgent

ADFS: Set Account Lockout Threshold and Duration

To enable protection against brute-force hacking against your domain user accounts, it is recommended that account lockout threshold and duration be enabled. To do so, execute the following command, changing any parameters as required.

1
2
3
4
Set-ADFSProperties –EnableExtranetLockout $true `
–ExtranetLockoutThreshold 15 `
–ExtranetObservationWindow ( New-TimeSpan –Minutes 30 ) `
–ExtranetLockoutPDC $false

Script to Batch Create Test User Accounts in Active Directory

Recently I have been working in my test labs and needed to create a large number of Test User Accounts in Active Directory. Rather than manually create the users using the GUI (which would take forever), I wrote a script to automate the process. You’ll find the script below and should be able to easily modify the script to work in your own environment.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# --------------------------------------------------------------------------------- #
.SYNOPSIS
 
Creates a batch of Test Users in Active Directory
 
.DESCRIPTION
 
Use this script to create a number of test user accounts within Active
Directory. Modify the following variables to customise this script for
your environment.
 
.PARAMETER
 
N/A
 
.NOTES
 
Version: 1.0
Author: Craig Bull
Creation Date: 10th September 2018
 
.EXAMPLE
 
N/A
 
# ---------------------------------------------------------------------------------#
#>
 
Import-Module ActiveDirectory
 
# DEFINE VARIABLES
 
$AdminCredentials = Get-Credential "YOURDOMAIN\Administrator"
 
# Use the following password for the User Accounts being created.
$Password = "@Passw0rd" | ConvertTo-SecureString -AsPlainText -Force
 
# Change this variable to the hostname of one of the domain controllers.
$ServerName = "YOURDC.YOURDOMAIN.COM"
 
# Customise this variable for a custom description on user accounts.
$Description = "Test User"
 
# Change this variable to match the DN of the OU where you want to create the
# the new user accounts.
$Path = "OU=Users,DC=YOURDOMAIN,DC=COM"
 
# Change this variable to match the UPN of your domain.
$UPNSuffix = "@YOURDOMAIN.COM"
 
# Change this variable to equal the number of user accounts you wish to create.
$NumberUsers = "100"
 
$i = 0
 
Write-Host " "
Write-Host "Script: Create AD User Test Accounts" -ForegroundColor White
Write-Host " "
 
# START LOOP
 
While ($i -ne $NumberUsers)
{
# INCREMENT COUNTER
 
$i = $i + 1
 
# DEFINE VARIABLES
 
$Name = "Test User $i"
$SamAccountName = "Test $i"
$UserPrincipalName = "TestUser$i$UPNSuffix"
 
Try
{
# TRY TO CREATE NEW TEST USER IN ACTIVE DIRECTORY
 
New-ADUser -Credential $AdminCredentials `
-Name $Name `
-GivenName "Test" `
-Surname "User" `
-SamAccountName $SamAccountName `
-Server $ServerName `
-AccountPassword $Password `
-Enabled $True `
-ChangePasswordAtLogon $False `
-PasswordNeverExpires $True `
-UserPrincipalName $UserPrincipalName `
-DisplayName "Test User" `
-Description $Description `
-Path $Path
}
 
Catch
 
{
# AN EXCEPTION WAS DETECTED, DISPLAY ERROR INFORMATION AND BREAK OUT OF SCRIPT
 
$ErrorMessage = $_.Exception.Message
Write-Host "An Error Occurred: $ErrorMessage" -ForegroundColor Red
Write-Host " "
Write-Host "Check Active Directory to confirm whether Test User accounts already exist." -ForegroundColor Yellow
Break
}
 
# DISPLAY USER CREATED MESSAGE
 
Write-Host "Created User Account: $Name" -ForegroundColor Green
}
 
Write-Host " "
Write-Host "Script execution completed successfully. Tidying up." -ForegroundColor White
Write-Host " ";
 
# CLEAR VARIABLES
 
$AdminCredentials = $Null
$ServerName = $Null
$Password = $Null
$Description = $Null
$Path = $Null
$UPNSuffix = $Null
$NumberUsers = $Null
$i = $Null