Category Archives: Active Directory

Azure AD allows duplicate group names

You would expect that a service that is responsible for the naming of objects within a namespace should prohibit the creation of objects with the same leaf name and fully qualified name. Put simply you should not be able to have two files in the same directory with the exact same name in your file system. Likewise a directory service should do the same, or should it…?

It depends on the rules of the service actually, and what those rules specify must be unique. Take good old Windows Server Active Directory for example. Active Directory is based on LDAP and in the LDAP naming scheme an object may have the same Relative Distinguished Name (RDN), as long as the Distinguished Name (DN) is unique. In this case the RDN is the leaf name and the DN is the fully qualified name. So you can have two users named John Doe as long as they do not both reside within the same Organizational Unit (OU), or location, in the directory. So in AD the rules specify that the DN must be unique. There are also other rules like the ones that say no two users can have the same sAMAccountName or UserPrincipalName properties.

Azure Active Directory also has similar rules, for example you can’t create two AAD users with the same UPN (but they can have the same name). Azure AD groups act differently however. First of all they don’t have UPNs, they only have names (DisplayName attribute). So for groups the rules say that it is the ObjectID property of the group that must be unique, not the name. You can test this yourself easily with PowerShell. Run this command against your AAD tenant twice or more:

New-MsolGroup -DisplayName "GroupWithTheSameName"

It will succeed and you are left with a number of groups which look identical until you look at their ObjectID properties. I’m sure you can imagine the interesting side-effects of having more than one group with the same name… How is this allowed you ask?

The answer is hybrid identity. Azure AD and it’s local sync component; Azure AD Connect, supports syncing users and groups from multi-domain forests and multiple disparate forests into the same Azure AD tenant. This is great for consolidation scenarios, but to understand exactly how it relates to duplicate group names in Azure AD; let’s look at the rules for uniqueness in Active Directory again:

  • Single forest
    • Users must have a unique UPN attribute within a forest, and a unique sAMAccountName attribute within the domain. No such requirement exists between forests. The RND can be the same as long as the DN is unique.
    • Groups must have unique sAMAccountName attributes within a domain. No such requirement exists between forests. The RND can be the same as long as the DN is unique.

The mechanism within a forest that makes sure the above requirements are met is the global catalog (GC).

  • Multi forest
    • Anything goes, nothing is shared between forests, even forests that trust each other. You could even have two forests with the same forest root name and UPN suffixes. There would not be able to interact with each other of course.

Form this we see that we can have groups that have the same name, they are only separated by their sAMAccountName attributes in Active Directory. Azure AD Connect does not synchronize the sAMAccountName into Azure AD so we get duplicate groups.

At this point you may be wondering what happens if you have two disparate forests with the same forest root name, how will they sync? Answer is they won’t, that is not a supported scenario by Azure AD Connect, which uses DNS to find the DCs of the forests.

You may also be wondering why this does not apply to users. Users have a unique attribute that is synced into Azure AD; the UPN. As long as it is unique within the forest the user will sync to Azure AD. If you have two forests with the same UPN for two or more users, but still are able to be part of the same Azure AD Connect sync installation, something which is possible if you configure the same UPN suffix in both forests, Azure AD connect will block the syncing when it encounters these users.

NOTE: Manipulating Active Directory directly it is actually possible to have two users with the same UPN in the same domain or forest. If you try to sync those users into Azure AD they will be blocked like described above.

The good news regarding groups is that Microsoft are working on a way to handle groups better in Azure AD Connect so that we do not get these duplicates.

Always fun with a little directory service internals 🙂

How to configure SAML SSO with the Cisco Meraki Dashboard and Azure Active Directory

Introduction

The fine people at Cisco Meraki have recently enabled SAML SSO support to their Meraki Dashboard service. For those of you who don’t know Meraki is Cisco’s cloud managed networking solution. Basically you manage all your networking equipment from a web portal. For more information about Meraki, go here.

Whenever I start using a new web application, which is what the Meraki Dashboard is, I always look for options to integrate it with my existing identity platform, which in my case is Azure AD. The benefits of doing this should be apparent and are not in the scope of this post, but basically I want to control access to all applications with one identity and thus limit the numbers of logons I have to maintain.

Note: Let me just mention that at the time of writing; the SAML SSO feature of the Meraki Dashboard is in Beta.

So let’s look at how we can now integrate Azure AD and Meraki.

Setup

Meraki have provided their own documentation on how to set up SAML SSO with either ADFS or OneLogin, this documentation is available here. But we want to use Azure AD.

Configure SSO

In this section we complete the basic SSO setup.

  1. First enable SAML SSO for your organization. Just enable it for now and press Save.
    merakisamlsso1
  2. Go to the Azure portal and add a new application to your Azure AD tenant. Select to add an application from the gallery and then select Custom. Name your application something like Meraki Dashboard:
    merakisamlsso2
  3. On the page of your newly created application select Configure single sign-on.
  4. Select Microsoft Azure AD Single Sign-On as the sign on method.
  5. For your application identifier and reply URL enter https://dashboard.meraki.com.
    merakisamlsso3
    NOTE: We will change the value of the Reply URL in the following steps.
  6. Download the certificate in Base 64 format and open it.
    merakisamlsso4
  7. On the Details tab, find the certificate thumbprint and copy it.
  8. Go back to the Meraki Dashboard and paste the thumbprint value into the X.509 cert SHA1 fingerprint field. You must replace all spaces with colons. Hit Save. You should now have a Consume URL displayed, it will look something like this:
    https://n150.meraki.com/saml/login/<unique ID>. Copy this value, we need it later. Enter the URL of the Azure AD MyApps portal in the SLO logout URL field. Your complete configuration should now look something like this:
    merakisamlsso5
    The logout URL is where the Meraki Dashboard will redirect users when they sign out, this location should be where they can sign in again, which in this case is the MyApps portal.
  9. Go back to the Azure AD portal and go back one step in the Configure Single Sign-On wizard to enter this value into the Reply URL box. Reply URL is also known as Assertion Consumer Service (ACS) and is where the application expects the authentication response from the IdP. Your final settings should look like this:
    merakisamlsso6
  10. Advance to the page of the wizard where you downloaded the certificate and check the box labelled Confirm that you have configured single sign-on as described above. Checking this will enable the current certificate to start working for this application.
  11. Finish the Configure Single Sign-On wizard.

Configure SAML Roles in your Meraki organization

Now we need to configure roles in Meraki Dashboard to control the level of access that SSO users get. You can configure many roles and granular network access here, but we will create only one role.

  1. Go to the Meraki Dashboard and navigate tot Organization\Administrators.
  2. Find the SAML administrator roles section and select Add SAML role
  3. Name the new role Organization and set organization access to full, do not select any target networks:
    merakisamlsso7

Configure Claims

In this section we configure the claims that the Meraki Dashboard needs to work. Currently Meraki Dashboard requires a username and a role claim, issued using their naming standard.

  1. In the Azure AD portal, go to the Attributes tab of the Meraki Dashboard application.
  2. Add the following attributes:

Attribute name: https://dashboard.meraki.com/saml/attributes/username

Attribute value: user.userprincipalname

Type: User attribute

Attribute name: https://dashboard.meraki.com/saml/attributes/role

Attribute value: Organization

Type: Constant

Feel free to delete any claims you don’t want to send to the Meraki Dashboard.

Configure Access to the Meraki Dashboard application

In this scenario we use Azure AD as the control plane for who gets the Organization role we specified earlier. We do this by assigning the Meraki Dashboard application to the specific users we want to be organization admins.

  1. In the Azure AD portal select the Users and Access tab of the Meraki Dashboard application
  2. Select Show: All Users in the drop down box.
  3. Select the users you want to be organization admins and hit Assign at the bottom of the page.

About Roles in this setup

As you can see from the above configuration, all users that are assigned the Meraki Dashboard application will get full Organization access, based on the role we created This is almost certainly not what you want, but this is just an example. In the Meraki guide for ADFS we see that they use Active Directory groups to select which role is passed in the claim. Unfortunately, the logic to do this is not available in Azure AD at the moment. You cannot select a claim value based on a group. What you can do instead is use a free attribute in either your local Active Directory or Azure AD to specify the name of the Meraki role to give the user. To accomplish this you must first map out all the Meraki roles you need and then provide the names of these roles in the role claim, based on the value of the attribute.

Testing access

Now let’s see if it worked.

  1. Log in to the Azure AD MyApps portal as one of the users that you assigned to the Meraki Dashboard application; https://myapps.microsoft.com.
  2. Meraki Dashboard show now show up as an available application:
    merakisamlsso8
  3. Hit the icon and you should now be forwarded to the Meraki Dashboard.
  4. Notice that your username at the top is now your User Principal Name from Azure AD.
  5. Navigate to Organization\Administrators and hit SAML login history. This will display all SAML logins to the dashboard. Your login should show up here. You can also press the value in the timestamp and you will see more details, and you can even view the entire XML assertion.

Further customization

Hopefully everything is working for you. If you want to further customize this setup you could for example add a logo to your app and remove the claims not needed by the Dashboard. You now also have access to all the advanced access policies of Azure AD and can add MFA and location based access rules and provide delegated self-service access.

Notes about the setup

There are a few things to note about the Meraki SSO support in general and this setup in particular.

  • Meraki Dashboard currently only supports Identity Provider (IdP) initiated sign-on. This means you have to start in the Azure MyApps portal, log in, and then proceed to the Meraki Dashboard by pressing the icon. Going to the dashboard first and trying to log in with an ID from Azure AD (or any IdP) will not work. This last scenario is what is known as Service Provider Initiated sign-on (SPinit). (I’m thinking you should be able to create a smart URL here, but have not have time to test that yet.)
  • If the username of the admin that signs in with SSO is already registered as a regular dashboard admin the sign in will fail.
  • There is already a pre canned Cisco Meraki Dashboard app in the Azure AD application gallery, but this only supports password SSO, which means that you will have to enter your regular Dashboard account login details into the Azure AD credentials vault and then have Azure AD forward those credentials when users sign in. This is not true SSO. However, I recommend you harvest the icons from this app and use in the one you create. (The URL of the logo is: https://az495088.vo.msecnd.net/app-logo/merakidashboard_215.png)

More information

For more information on Meraki Dashboard permissions and administrator types, refer to the article on managing administrative users

Connecting to an Azure AD joined machine with an Azure AD user account over Remote Desktop

Introduction

Windows 10 introduces the ability to join a computer to the cloud directory service Azure AD. This is very similar to the traditional domain join, where you join a computer to an Active Directory domain, run on-premises by one or more Domain Controllers. Both operations lets the computer operate within a common security context and benefit from Single Sign-On (SSO) to all resources that share the same security context. However, joining Azure AD instead of a traditional domain can break things or make them more difficult. There are many examples of this, but the one I want to discuss here is connecting with Remote Desktop (RDP) to an Azure AD joined computer with a user account from Azure AD. Just to be clear; the connection we want to establish is to an Azure AD joined computer, logging on with an account from Azure AD. This account can either be synced from on-premises or be mastered in the cloud, and both federated and password logons are supported. We do not depend on any local accounts on the computer, using tricks such as adding an Azure AD work account to a local account or a Microsoft Account (MSA), this is pure Azure AD.

Connecting Successfully

There are some obvious prerequisites for this to work:

  • The computer must be joined to Azure AD
  • Remote Desktop connections must be enabled and allowed through the host firewall
  • Any other firewall between you and the computer must allow the Remote Desktop protocol

The key to connecting is having Windows 10 present an desktop login screen:

win10rdp2

That means that we must disable any form of single sign-on or integrated authentication. This requires the following steps:

  • On the Windows 10 computer; disable Network Level Authentication (NLA) for Remote Desktop Connections
    Open System Properties and navigate to the Remote tab. Under Remote Desktop; make sure Allow remote connections to this computer is enabled, and that Allow connections only from computers running Remote Desktop with Network Level Authentication is unchecked.
    win10rdp3
    This will disable the ability on the host to require that authentication happens before a user session is created.
  • On the computer you are connecting from create an RDP file and add the following settings to it:
    enablecredsspsupport:i:0
    authentication level:i:2
    Again, these settings disables sending any credentials automatically to the host computer. Leaving Windows with no choice but to display a desktop logon screen. The easiest way to create an RDP file is to open the remote desktop client, enter the name or IP of the computer you want to connect to and then his Save As. This will produce an RDP file that you can add/edit the necessary settings in. For those interested, most of the settings you can specify in an RDP file are listed here. In theory you could also add these settings on the command line, but I have not worked that out.

The last trick to make this work involves the username you specify on the logon screen. It must be in the following format:

AzureAD\<full UPN in Azure AD>

e.g. AzureAD\morgan.simonsen@langskip.no

This is a non-intuitive format for those of us who have connected to Windows over RDP in the past, but it is what works. I have not been able to connect with any other combination of domain, username, DNS domain or UPN, but this may very well change soon.

UPDATE 2015-11-7: On Windows 10 build 10586 the AzureAD prefix is no longer needed. You can just use your UPN.

Closing remarks

When you are joined to Azure AD we are naturally also authenticating against Azure AD, but it might be that you have federated Azure AD against an ADFS server, in which case authentications are redirected back to on-premises. Depending on your setup for authentication you will see the following differences:

Azure AD authenticated users will display the logged on user as: AzureAD\<concatenated display name>. Federated tenants will display the logged on user as <on-premises NetBIOS domain name>\<on-premises sAMAccountName>. This difference is visible if you use the whoami utility or look at the environment variables. Just to be clear, these differences do not have anything to do with remote desktop connections, they are just a consequence of joining Azure AD.

Connecting with a local account to a Windows 10 computer joined to Azure AD would as it does for any other Windows computer.

This is probably not how Microsoft would like us to connect to Azure AD joined machines so we can expect NLA authenticated connections to work some time in the future.

Happy connecting!

Morgan

Some thoughts on Group Policy design

Group Policy has been with us for well over 12 years now and has turned out to be a good tool for deploying configurations to your users, servers and clients. A summary of Group Policy in general is beyond what I want to say here so for anyone looking for that before reading on have a look here.

A major tenet of Group Policy and Active Directory site, domain and OU design is to group users by common denominators and configure Group Policy for them. For instance you might want to use a geographical approach and group your users according to geograpihal location. All users from Europe in one OU and all from Asia in another. Each would get a GPO setting the common configuration that all users in any give location should have. Another approach would be to group by function. Lets say we place all users beloning to our R&D deparment in one OU, regardles of physical location.

Customized claims in ADFS

Introduction

The claims pipeline in ADFS is an interesting piece of software. I recently had a chance to re-familiarize myself with it. A third party SaaS application used an organizations internal employee numbers together with their own customer number for that organization to uniquely identify users. This called for issuing a claim to the SaaS app relying party (a.k.a. service provider) that picked up an attribute from Active Directory containing the internal employee numbers, prepending the SaaS app’s customer number and issuing it as a Name ID claim. Furthermore it was a requirement that the Name ID claim was the only custom claim issued. Of course I wanted the most elegant and efficient solution I could come up with, so that meant the the number of claims rules had to be as low as possible.

To do this kind of thing you have to use custom claim rules. The template rules are not flexible enough, but it is a good idea to use them to create the base claims query language syntax for you. Here is what I ended up with:

Get the employeeID LDAP attribute from Active Directory

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]
=> add(store = “Active Directory”, types = (“http://langskip.no/employeeID”), query = “;employeeID;{0}”, param = c.Value);

This claim rule queries the Active Directory store for the employeeID attribute. If it is present a claim is added to the incoming claims pipeline by using the operator ADD. I store the value of employeeID in a custom type (https://langskip.no/employeeID) which only exists as a temporary placeholder for the value of employeeID. You can use both URLs and URIs to create custom claim types, if you don’t want to go with one of the standard ones. No claim is issued by this rule. That happens in the next rule…

Transform employeeID

c:[Type == “http://langskip.no/employeeID”]
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Value = “350-00” + c.Value);

Next we check for the existence of an incoming claim of type http://langskip.no/employeeID. If it is present we now issue a claim of type nameidentifier. If the statement evaluates to False; no claim is issued. Hopefully the relying party knows what to do in that case. We set the value of the Name ID claim to the SaaS app’s customer ID number plus the employeeID from Active Directory.

The result looks like this in a test app I used for testing:

Claim Type Claim Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 350-00123456

Thoughts on improvements…

I really would have wanted to accomplish this with just one claim rule. If anyone of you reading this knows how to accomplish that; sound off in the comments.

Happy authenticating!

Get-ADUser quirkiness

So I was trying to find all the users in an Active Directory domain that had a manager. Naturally I turned to PowerShell and the Get-ADUser cmdlet.

First I tried this:

Get-ADUser -Properties Manager -Filter { manager -like “*” }

That threw this error:

Get-ADUser : Operator(s): The following: ”Eq’, ‘Ne” are the only operator(s) supported for searching on extended
attribute: ‘Manager’.

OK, so we can only use the operators eq (equals) and ne (not equals) when working with what the Active Directory PowerShell module defines as extended properties. But these only work if you are interested in specific values. I wanted to find any user that had a manager defined, regardless of who it was. So I could not use eq or ne.

So then I did this:

Get-ADUser -Properties Manager -Filter * | where { $_.manager -ne $null }

Which works, but returns every user from Active Directory and then PowerShell does the filtering. Not optimal code. I could have left if there, but you know…

This is what I ended up with:

Get-ADUser -Properties Manager -LDAPFilter “(manager=*)”

This uses the power of filtering within the directory service.

Delegating computer object management tasks

Introduction

The subject of delegating permissions in Active Directory for management of computer objects has been covered many times in many forums. I wanted to try to collect all that information as well as add some refinements of my own.

Rights vs. permissions

In the olden days, back when I was just a wee lad and Windows NT was new, the ability to join a computer to a domain was controller by a user right called Add workstations to domain. This user right is only valid on domain controllers. Any use who had this right could join computers to a Windows NT domain. The user right still exists and is in use even on Windows Server 2012 R2 Domain Controllers running Active Directory domains. When users join their computers to the domain using their own credentials they do it using this user right. It is, in fact, the only option available to them, since no regular users are granted any permissions over computer objects in Active Directory by default.

Back in the NT era this right was granted to the Users group and there was no limit to how many computers any give user could add to the domain. When Windows 2000 came along and with it Active Directory the user right was changed to apply to the Authenticated Users security principal and any one user could only add 10 computers to a domain by default. But the preferred way for Active Directory was to use permissions in the directory service to control object creation, modification and deletion…

Active Directory has a very fine grained permissions set allowing you to set permissions for objects as well as their properties. These permissions work the same way as the rest of the authorization model in Windows does by using Access Control Lists (ACL) with security principals and their permissions listed in individual Access Control Entries (ACE). Permissions can be granted anywhere in the hierarchy and inherited down to objects and containers. Granting permissions in Active Directory to someone or something is often called delegation. Computer objects are of course also included in these permissions and we can create much better delegation of control than we could with just a global user right.

We’ll cover three delegation of control scenarios regarding computer object management in this post:

  1. Allowing a security principal to join (add) a computer to a domain
  2. Allowing a security principal to join and re-join a computer to a domain
  3. Allowing a security principal to rename a computer in a domain
  4. Allowing a security principal to move computer objects in a domain

You can of course combine any of these.

Creating a computer object and changing its properties is what is required to join a computer to the domain. The container could be the Computers container or any other OU or container, including the domain itself but I do not recommend that.

When a computer joins an Active Directory domain without specifying a path, it is placed in the Computers container. The Computers container is not an OU and so it cannot have Group Policy Objects linked to it or have sub containers or OUs. If you are fine with all computer objects being created in this container you can delegate the permissions below to the Computers container

1. Allowing a security principal to join (add) a computer to a domain

First out is the most common scenario; join a computer to an Active Directory domain. As stated earlier it is not necessary to delegate this to regular users since the very few cases where they join their own computers to a domain should be covered by the Add workstation to domain user right. One exception to this is if you want to tighten down security and remove all security principals from this user right. In that case, if you still want to allow regular users to be able to join computers to a domain you have to delegate permissions to them. The more common case is that whatever deployment solution you use adds the computers to the domain. This is by far the best solution since very few users have any idea what a domain is.

A best practice is to create a service account used only for adding computers to the domain. This account should be clearly labeled, have a strong password and not have any other rights or permissions in you directory except the ability to join the domain. That being said the procedure below works for any security principal you want to delegate permissions to join the domain for.

  1. Identify the security principal that you want to delegate permissions for
    This can be any security principal; user, group etc.
  2. Identify the container or OU where you want to allow users to manipulate computer objects
  3. Right click the container or OU you selected and select Delegate Control…
    image
  4. The Delegation of Control Wizard opens, hit Next
    image
  5. The Users or Groups window opens:
    Select the security principal you want to grant permissions to, then hit Next again.
    image
  6. The Tasks to Delegate window opens:
    Select Create a custom task to delegate and hit Next
    image
  7. The Active Directory Object Type window opens:
    Select Only the following objects in the folder and select Computer objects, select Create selected objects in this folder and finally hit Next
    image
  8. The Permissions window opens
    Select Property-specific and select Read All Properties. This is actually redundant since this permissions are already granted to the Authenticated Users principal, but the delegation of control wizard will not let you continue without selecting something on this screen.image
  9. Finally the Completing the Delegation of Control Wizard window opens showing you a summary of your actions. Hit Finish.
    image

    Delegation of Control Wizard Summary

You chose to delegate control of objects
in the following Active Directory folder:

    saferoad.com/Computers

The groups, users, or computers to which you
have given control are:

    Domain Join Account (SvcJoinComputerToDom@saferoad.com)

They have the following permissions:

    Read All Properties

For the following object types:

    Computer

    The selected principals can now join computers to the domain.

2. Allowing a security principal to join and re-join a computer to a domain

    The second scenario; allowing a principal to also re-join a computer to a domain requires some additional permissions. This is useful if you want to have a service account that can manage all computer accounts, also existing ones. System Center Configuration Manager for example requires these permissions.
  1. Identify the security principal that you want to delegate permissions for
  2. Identify the container or OU where you want to allow users to create and configure computer objects
  3. Right click the container or OU you selected and select Delegate Control…
    image
  4. The Delegation of Control Wizard opens, hit Next
    image
  5. The Users or Groups window opens:
    Select the security principal you want to grant permissions to, then hit Next again.
    image
  6. The Tasks to Delegate window opens:
    Select Create a custom task to delegate and hit Next
    image
  7. The Active Directory Object Type window opens:
    Select Only the following objects in the folder and select Computer objects, select Create selected objects in this folder and Delete selected objects in this folder, and finally hit Next
    image
  8. The Permissions window opens
    Select Property-specific and select these individual permissions:
    – Reset Password
    – Read and write Account Restrictions
    – Validated write to DNS host name
    – Validated write to service principal name
     
    image
  9. Finally the Completing the Delegation of Control Wizard window opens showing you a summary of your actions. Hit Finish.
    image

      Delegation of Control Wizard Summary

    You chose to delegate control of objects
    in the following Active Directory folder:

    <domain>/Computers

The groups, users, or computers to which you
have given control are:

    Domain Join Account (SvcJoinComputerToDom@<domain>)

They have the following permissions:

    Reset password
    Read and write account restrictions
    Validated write to DNS host name
    Validated write to service principal name

For the following object types:

    Computer

    The selected principals can now join computers to the domain as well as re-join computers when the computer account already exists.

3. Allowing a security principal to rename a computer in a domain

Here goes no. 3…

 
  1. Identify the security principal that you want to delegate permissions for
  2. Identify the container or OU where you want to allow users to create and configure computer objects
  3. Right click the container or OU you selected and select Delegate Control…
    image
  4. The Delegation of Control Wizard opens, hit Next
    image
  5. The Users or Groups window opens:
    Select the security principal you want to grant permissions to, then hit Next again.
    image
  6. The Tasks to Delegate window opens:
    Select Create a custom task to delegate and hit Next
    image
  7. The Active Directory Object Type window opens:
    Select Only the following objects in the folder and select Computer objects and hit Next 
    image
  8. The Permissions window opens
    Select Property-specific and select Write All Properties.
    Scroll down an add these individual permissions as well:
    – Validated write to DNS host name
    – Validated write to service principal name
     
    image
  9. Finally the Completing the Delegation of Control Wizard window opens showing you a summary of your actions. Hit Finish.
    image

      Delegation of Control Wizard Summary

    You chose to delegate control of objects
    in the following Active Directory folder:

        saferoad.com/Computers

    The groups, users, or computers to which you
    have given control are:

        Domain Join Account (SvcJoinComputerToDom@saferoad.com)

    They have the following permissions:

        Write All Properties
        Validated write to DNS host name
        Validated write to service principal name

    For the following object types:

        Computer

    The selected principals can now rename a computer in a domain.

4. Allowing a security principal to move computer objects in a domain

    The last one is a little more involved as it requires changing permissions on both the source container/OU and the destination. The destination container/OU requires the same permissions as in scenario 1 so set those. Follow these steps to configure the source container/OU:

    1. Identify the security principal that you want to delegate permissions for
    2. Identify the container or OU where you want to allow users to create and configure computer objects
    3. Right click the container or OU you selected and select Delegate Control…
      image
    4. The Delegation of Control Wizard opens, hit Next
      image
    5. The Users or Groups window opens:
      Select the security principal you want to grant permissions to, then hit Next again.
      image
    6. The Tasks to Delegate window opens:
      Select Create a custom task to delegate and hit Next
      image
    7. The Active Directory Object Type window opens:
      Select Only the following objects in the folder, select Computer objects and , select Delete selected objects in this folders, hit Next 
      image
    8. The Permissions window opens
      Select Property-specific and select Write All Properties
      image
    9. Finally the Completing the Delegation of Control Wizard window opens showing you a summary of your actions. Hit Finish.
      image

        Delegation of Control Wizard Summary

      You chose to delegate control of objects
      in the following Active Directory folder:

          saferoad.com/Computers

      The groups, users, or computers to which you
      have given control are:

          Domain Join Account (SvcJoinComputerToDom@saferoad.com)

      They have the following permissions:

          Write All Properties

      For the following object types:

          Computer

    More information

    There is an interesting distinction between joining a domain by exercising the user right Add workstation to the domain and using delegated permissions. If you join by the user right the owner of the resulting computer object is the Domain Administrators group, but if you join by delegated permissions the owner is the user who actually performed the join. Also if a principal has both the user right and delegated permissions, delegated permissions take precedent and are used to join the computer to the domain. A recommended best practice her would be to remove all principals from the user right and just rely on permissions. You do that by applying a policy to your domain controllers where no principal has the user right:

    image

    The location of the user right is:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    You could also increase the default quota of 10 computer accounts added to the domain per user, but I do not recommend that. I essence you are copying the settings from Windows NT to your Active Directory domain and do not take advanced of the advanced delegation model in Active Directory. For completion here is how to change the quota:

    From any editor capable of displaying and changing individual attributes of Active Directory objects; display the properties of the domain NC. Locate the ms-DS-MachineAccountQuota property and change it to your desired value:

    image

    Links

    Here are a few links for further info:

    Recommendations for LDAP lookup accounts and connections in Active Directory

    Introduction

    From time to time someone may want to access your Active Directory Directory Service with LDAP. Usually from a system or location that you view as unsecure or untrustworthy. Examples are printers that do directory lookups to send scanned documents by e-mail and external systems where a provider needs information about your users to provide them service. The querying party is often an open source implementation of an LDAP client. Here is some advice about how to configure such a setup.

    Connecting

    All Active Directory Domain Controllers provide LDAP over TCP and UDP ports 389, and Secure LDAP (LDAP-S) over TCP port 636, by default. If there is a firewall between your Domain Controller and the connecting system you will have to allow and/or forward the required ports. For any connection you should always use LDAP-S, especially for connections that traverse untrusted networks, e.g. the Internet. For recent versions of Windows Server the host firewall is enabled by default and the inbound rules for LDAP and LDAP-S are automatically enabled when the server is promoted to a domain controller. Depending on your network firewalls you may have to enable Allow edge traversal. You do this from the properties of the rule in the Windows Firewall with Advanced Security console:

    image

    Selecting a DC

    Choosing which DC the LDAP client connects to is either configured by you or located automatically. A Windows machine that is a member of a domain knows how to find LDAP servers in its domain, which it does by querying DNS. A lot of Active Directory discovery is done by DNS in Windows. A Windows client will typically query DNS for A (host) records for its own domain to find which servers are writable LDAP servers. All RW DCs register an A record for the domain name to indicate they are LDAP servers. Alternatively a Windows client can also query for SRV (service) records for _ldap._tcp.dc._msdcs.<DNS domain name>. The DC Locator component, implemented by the NETLOGON service on a Windows machine performs these queries. When a Windows client wants to log on to a domain it uses SRV records. But the fact that a Windows machine that is joined to a domain can find LDAP servers by using DNS does not mean that an application running on it can do the same, or take advantage of the information found by the DC Locator component. Very often an application that uses LDAP implements its own LDAP configuration and service discovery. Typically LDAP servers are either found by querying DNS for either A, CNAME, TXT or SRV records as specified by you, or LDAP servers a statically configured. If the connecting system is on your internal network then the best option would be for it to use DNS to discover LDAP servers based on the DNS name of the domain. That way the system will continue to function even if you introduce new or retire old domain controllers. If that is not possible try using an A record as an alias; like ldap.<DNS domain name>. The you can statically configure your LDAP client to connect to that name. If any change occurs in your directory service, all you have to do is update the alias. You can even have more than one record for the same alias and DNS will serve them up randomly. If the connecting system is outside your network and does not have access to your internal DNS zones, you are left with statically configuring it using either an IP address or an FQDN which is resolvable outside of your network.

    Some more info:

    Certificates

    The domain controller needs a certificate to be able to supply LDAP-S. You can in theory use a certificate signed by any authority, including a self signed one, as long as the connecting party either trust the signer or ignores certificate errors. The following KB article goes into details about the specific LDAP certificate requirements for domain controllers:

    It is not possible to configure a specific certificate for LDAP if there are several to choose from. The aforementioned KB article explains the certificate selection process that the DC uses.

    It is also a good idea to provide the connecting party with a base DN from which to start a search, although you cannot stop them from changing it.

    Account

    After the connection is established the connecting party needs to authenticate to access the directory. The most common form of authentication in this scenario is a username and password combination. Since Active Directory is its own authentication provider you will need to create an account in AD and provide the connecting party with the domain, username and password information. This account will be an implicit member of the Authenticated Users group when it is logged on and thus have the same access rights in the directory as the Authenticated Users principal has. Unless you have changed your directory considerably Authenticated Users will have read access to most of your Active Directory. Changing this is not a trivial task and would require you to change the very basic authorization settings of your directory, and since these settings are enforced on a schedule by the DS you will have to create your own way of making them stay changed.

    Any user account you opt to use will also be a member of the Domain Users group. This grants it certain rights in your domain that you might not want such an account to have. For example a member of Domain Users can log on to computers in your domain by power of the fact that Domain Users is a member of the Users group on every member computer in the domain. I recommend creating a new global security group, called NO_PRIVILEGE for example, and add the account to that group, and at the same time removing the account from Domain Users. By doing this you will revoke any permissions Domain Users has from the account. You cannot just remove it from Domain Users, since every user account in Active Directory must have a primary group associated with it. The NO_PRIVILEGE group will  become that new primary group once Domain Users membership is revoked.

    Testing

    To test if your setup work I recommend an LDAP browser or explorer. Windows includes one called LDP.EXE and it is quite good, but since it cannot ignore certificate errors, it might not work in all scenarios. Here are a couple of alternatives:

    I find that LDAP Admin servers all my needs. It even alerts you to certificate errors and lets you view the certificate and continue if you so choose.

    To test if the required ports are open and forwarded you can also use the PortQry utility from Microsoft. Here is an example command to check for LDAP-S:

    .PortQry.exe –n <my DC FQDN> -p TCP -e 636

    Tip

    To ignore certificate errors in LDAP on open source systems I recommend doing a search for TLS_REQCERT and LDAPTLS_REQCERT.

    Active Directory Domain Controllers and certificate auto-enrollment

    Introduction to auto-enrollment

    Auto-enrollment is a useful feature of Active Directory Certificate Services (AD CS). It allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject. A subject in this case can be either a user account or a machine account. (And just a reminder; certificate auto-enrollment is only possible with version 2 certificate templates and these are only available with a Windows Server 2003 Enterprise based Certificate Authority or newer, and a domain with the Windows Server 2003 schema or newer.)

    Auto-enrollment is configured through Group Policy and can be set for both types of subjects; users and computers. The location in a GPO is:

    • Computer: Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Service Client – Auto-enrollment
    • User: User ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Service Client – Auto-enrollment

    The dialog box is identical and looks like this when enabled:

    image

    Just for reference, here is how this dialog looked in Windows XP/Windows Server 2003:


    Back then it was located under User/Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesAutoenrollment Settings.

    While in the computer part of the GPO you will also notice another setting which deals with auto-enrollment:

    Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesAutomatic Certificate Request Settings

    This settings configures which types of certificates a computer should automatically enroll for; Computer, Domain Controller, Enrollment Agent (Computer) or IPSec. This setting has no value by default, instead you have to complete a short wizard to add a value to it by right-clicking and selecting New: Automatic Certificate Request. This will bring up the wizard:

    image image image

    The steps above will lead to the following setting:

    image

    The first setting mentioned, Certificate Service Client – Auto-enrollment, controls whether and how auto-enrollment should be performed. This setting, on the other hand, specifies which certificate template to request certificates for. In some cases the client know which templates it wants certificates from, and only needs to be told to auto-enroll. Other times you have to specify this setting as well to tell the client about the certificates templates you want it to auto-enroll based on. The Automatic Certificate Request Settings key is only available in a domain based GPO, not in local policy. For detailed information about this setting look here:

    Auto-enrollment of certificates is triggered by one of these events:

    • Computer reboot and subsequent Group Policy application/refresh
    • Interactive logon and subsequent Group Policy application/refresh (Winlogon.exe calls userinit.exe that performs the auto-enrollment based on Group Policy.)
    • Group Policy refresh, either periodic or forced
    • certutil.exe –pulse command

    By default there are no auto-enrollment settings configured in a Windows domain. Neither the Default Domain Policy nor the Default Domain Controllers Policy contain auto-enrollment settings so none of your computer or user accounts will automatically enroll for any certificates. There are, however, a few exceptions to this rule. One, of which, are  Domain Controllers.

    Enhanced event logging for auto-enrollment

    To understand certificate auto-enrollment it helps to enable enhanced logging. By default, auto-enrollment logs errors/failures and successful enrollments in the Application Event log on the client machine.

    To enable enhanced logging of auto-enrollment processes, the following registry values must be created:

    User Auto-enrollment

    HKCUSoftwareMicrosoftCryptographyAutoenrollment

    Create a new DWORD value named AEEventLogLevel; set value to 0.

    Machine Auto-enrollment

    HKLMSoftwareMicrosoftCryptographyAutoenrollment

    Create a new DWORD value named AEEventLogLevel, set value to 0.

    Note All failures and errors are automatically logged. It is not necessary to enable the registry key to turn on failure logging.

    Certificate templates

    According to TechNet: Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as auto-enrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or auto-enroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory® Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.

    Read the whole text here.

    Domain Controller related certificate templates

    Domain controllers are interested in the following certificate templates, but depending on the DCs operating system version and the CA’s OS version it depends on what they prefer:

    Name Description Key Usage Subject Type Applications used for enhanced key usage Application policies or enhanced key usage
    Domain Controller Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication Signature and encryption DirEmailRep Client authentication
    Server authentication
    4.1
    Domain Controller Authentication Used to authenticate Active Directory computers and users Signature and encryption Computer Client authentication
    Server authentication
    Smart card logon
    110.0
    Directory E-mail Replication Used to replicate e-mail within AD DS Signature and encryption DirEmailRep Directory service e-mail replication 115.0
    Kerberos Authentication New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers Signature and encryption Computer Client authentication
    Server authentication
    Smart card logon
    KDC authentication
    110.0

    The Kerberos Authentication template deserves special mention. Again, from TechNet:

    Kerberos Authentication Template

    The purpose of the Kerberos Authentication template is to issue certificates to domain controllers, which present the certificates to client computers during user and computer network authentication. Certificates issued via this new template contain two specific attributes. Rather than relying on the DNS name of the computer, applications can verify the following:

    • The enhanced key usage extension of the certificate contains Key Distribution Center (KDC) authentication.
    • The domain name is in the subject alternative name extension of the certificate.

    By the authority of the issuing CA, these attributes prove that the computer presenting the certificate is a domain controller for the domain contained in the subject alternative name. This new template is recommended for domain controllers running Windows Server 2008. For domain controllers running Windows Server 2003, the Domain Controller Authentication template or the Kerberos Authentication template can be used.

    Client computers running Windows Vista, Windows Server 2008 or later can be configured to check for the new enhanced key usage entry by enabling strong KDC validation on the following registry entry:

    HKLMSYSTEMCurrentControlSetControlLsaKerberosParameterskdcvalidation

    The default value of 0 disables strong KDC validation. To enable strong KDC validation, set this DWORD value to 2.

    The following table shows which certificate template can be used for CAs running different versions of Windows, based on which version of Windows the domain controller is running.

    Domain Controller Windows2000 Server-based CA (version 1 only) Windows Server 2003-based CA Windows Server 2008-based CA
    Windows 2000 Server (enroll for version 1 templates only) Domain Controller Domain Controller Domain Controller
    Windows Server 2003 Domain Controller Domain Controller
    or
    Domain Controller Authentication
    Directory E-mail Replication
    Kerberos Authentication or Domain Controller Authentication
    Directory E-mail Replication
    Windows Server 2008 Domain Controller Domain Controller
    or
    Domain Controller Authentication
    Directory E-mail Replication
    Kerberos Authentication
    Directory E-mail Replication
    Windows Server 2012 Domain Controller Domain Controller
    or
    Domain Controller Authentication
    Directory E-mail Replication
    Kerberos Authentication
    Directory E-mail Replication

    Note

    If the CA administrator has not manually assigned the Domain Controller Authentication and Directory E-mail Replication certificate templates to a Windows Server 2003–based CA or a Windows Server 2008–based CA, domain controllers running Windows Server 2003 still use the default Domain Controller certificate template. If a Windows Server 2008–based CA is available and configured to issue the Kerberos Authentication template, a domain controller running Windows Server 2003 or Windows Server 2008 will enroll for a Kerberos Authentication certificate, even if it already has a Domain Controller Authentication certificate.

    The Kerberos Authentication certificate template is fully backward-compatible with the previous domain controller templates; for example, when the domain controller has a Kerberos Authentication certificate, smart card logon can be performed even with a client computer running Windows 2000 Professional.

    The following table shows the default templates in Windows Server 2008 and Windows Server 2003.

    Template name Windows 2000 Server Windows Server 2003 Windows Server 2008/2012
    Directory E-mail Replication X
    Domain Controller X X X
    Domain Controller Authentication X
    Kerberos Authentication X

    Domain Controller auto-enrollment behavior

    It depends when Domain Controllers auto-enroll for the different certificates listed in this post. All domain controllers are hard coded to automatically enroll for a certificate based on the Domain Controller template if it is available for enrollment at a certificate authority in the forest. Hard coded in this case means it is in the code, it is not configured in any local or domain based policy. This is one of the few cases where Windows will auto-enroll for a certificate without auto-enrollment being configured in Group Policy. If the Domain Controller certificate template is not available and enhanced logging for auto-enrollment is enabled you will see the following event in the Application log of a domain controller:

    Event ID: 47

    Message: Certificate enrollment for Local system could not enroll for a DomainController certificate.  A valid certification authority cannot be found to issue this template.

    Unless you configure auto-enrollment; that is that. The DC will not auto-enroll for any other certificate on its own. However, if you do enable auto-enrollment, preferably at the domain level so the settings applies to all computers/users in your domain, the behavior changes.

    To enable auto-enrollment you need to configure a domain GPO like this:

    image

    This will enable auto-enrollment, renew, update and remove certificates and do all these for certificates based on templates.

    Now since auto-enrollment is enabled, the Domain Controllers change their behavior. After a new auto-enrollment is triggered we will the the following events (in reverse order) in the Application log of enhanced logging is enabled:

    Event ID: 47
    Message: Certificate enrollment for Local system could not enroll for a KerberosAuthentication certificate.  A valid certification authority cannot be found to issue this template.

    Event ID: 47
    Message: Certificate enrollment for Local system could not enroll for a DomainControllerAuthentication certificate.  A valid certification authority cannot be found to issue this template.

    Event ID: 47
    Message: Certificate enrollment for Local system could not enroll for a DirectoryEmailReplication certificate. A valid certification authority cannot be found to issue this template.

    Event ID: 57
    Message: The “Microsoft Platform Crypto Provider” provider was not loaded because initialization failed.

    Event ID: 56
    Message: Certificate enrollment for Local system for the template DomainController was not performed because this template has been superseded.

    Let’s look  at these from bottom to top:

    ID 56 indicates that the DC has now switched from the hard coded behavior of requesting a certificate based on the Domain Controller template. Since auto-enrollment is now enabled it knows that that certificate template has been superseded. The next events with ID 47 informs us that although the DC would now like to use the new templates, they are not available on any CA in the forest.

    As we can see from a previous table in this post, all CAs have the Domain Controller template in their default template list, meaning they can all support the “legacy” hard-coded behavior of any DC to request a certificate based on that template. However, as we have seen, when auto-enrollment is enabled the DC’s preference changes to prefer templates that supersede this template. The Domain Controller E-mail Replication (v2) and Domain Controller Authentication (v2) templates both supersede the Domain Controller (v1) template, and if they are available a DC prefers those. The Kerberos Authentication certificate is even more preferred by DC and they will enroll for a certificate based on this template even if they already have a certificate based on either the Domain Controller (v1) template or the Domain Controller Authentication (v2) template. The Kerberos Authentication certificate is fully backwards compatible with the other templates and can be used for smart card logon. So lets enable the templates and see how the DC’s behavior changes.

    First lets enable the legacy Domain Controller template:

    On the CA: certutil.exe -SetCAtemplates +DomainController
    On the DC: certutil-exe –pulse

    This will change nothing since the DC is now configured for auto-enrollment as knows that the Domain Controller Template is superseded. The DC will log a warning that the Domain Controller template has been superseded and the the Domain Controller Authentication, Directory E-mail Replication and Kerberos Authentication templates are all unavailable. So let’s enable the next template; Domain Controller Authentication:

    On the CA: certutil.exe -SetCAtemplates +DomainControllerAuthentication
    On the DC: certutil-exe –pulse

    The DC will now successfully auto-enroll for and receive a certificate based on this template. A new event will be generated in the Application log:

    Event ID: 19
    Message: Certificate enrollment for Local system successfully received a DomainControllerAuthentication certificate with request ID <#> from certification authority <CA Name>.

    Warnings are still generated for the Directory E-mail Replication and Kerberos Authentication template based certs. They are still unavailable.

    OK, let’s enable the next template; Directory E-mail Replication:

    On the CA: certutil.exe -SetCAtemplates +DirectoryEmailReplication
    On the DC: certutil-exe –pulse

    The DC will now successfully auto-enroll for and receive a certificate based on this template. A new event will be generated in the Application log.

    Event ID: 19
    Certificate enrollment for Local system successfully received a DirectoryEmailReplication certificate with request ID <#> from certification authority <CA name>.

    Again, there will be warnings for the Kerberos Authentication template certificate.

    Last template: Kerberos Authentication:

    On the CA: certutil.exe -SetCAtemplates +KerberosAuthentication
    On the DC: certutil-exe –pulse

    The DC will now successfully auto-enroll for and receive a certificate based on this template, even though it already has certificates based on the Domain Controller Authentication and Directory E-mail Replication templates. A new event will be generated in the Application log:

    Event ID: 19
    Certificate enrollment for Local system successfully received a KerberosAuthentication certificate with request ID <#> from certification authority <CA name>.

    Still, there will be a warning about the Domain Controller template being superseded. This will happen as long as enhanced logging is enabled.

    Now the DC will have three certificates based on the Domain Controller Authentication, Directory E-mail Replication and Kerberos Authentication templates. And just to make this perfectly clear; the DC will request always request a certificate based on each of these three templates if they are available.

    Tips and tricks

    • If your want to check the status of the certificates on your DC; run certutil.exe –DCInfo. It will enumerate all your DCs and check their certificates.
    • To reinstall the default certificate templates that come with your version of Windows Server into the Configuration NC; run certutil.exe –InstallDefaultTemplates. Note: this will not set up any CAs to issue any templates, just reinstall the template definitions into your Active Directory forest. To list your current templates from Active Directory; run certutil.exe –Templates.

    More information

    Oh, and in case you are wondering, the other exception to the default “no auto-enrollment” behavior is EFS, which will always attempts to enroll for the Basic EFS template. The EFS driver generates an auto-enrollment request that Auto-enrollment tries to fulfill.

    How not to improve the security of your ADFS deployment

    Introduction

    I was involved in an ADFS deployment recently where the customer wanted to restrict access from the Internet to their ADFS proxy servers, located on their DMZ. They used ADFS to federate with Windows Azure Active Directory so they only wanted to allow traffic from the Microsoft Online Security Token Service (STS) servers into their ADFS. The rational behind this was that only a trusted party (Microsoft) should be able to communicate with an externally available service in their network. A good theory, but one doomed to failure. Let me explain why…

    The WS-Federation Passive Requestor Profile

    ADFS is Microsoft’s implementation of the OASIS group’s WS-* suite of protocols and mechanisms. A complete description of WS-*  is way beyond this post, but I will list some resources at the end of this post for the inquisitive among you. One of the purposes of the WS-* standard is to allow:

    “different security realms to federate, such that authorized access to resources managed in one realm can be provided to security principals whose identities and attributes are managed in other realms”

    In other words, to outsource authentication to somebody else that you trust.

    The letters WS stand for Web Service, meaning that WS-* is created to work on the Internet, something e.g. Kerberos is not designed to do. Let’s look at a few pieces of WS-* terminology:

    • Requestor
      The client that wants access to some resource/content/service. Often a browser. Requestors are broadly split into two groups; those that can emit Web Service messages using SOAP and those that cannot. (Remember this last bit because it is important.)
    • Relying party (RP)
      The content provider that has something that a user wants access to. The RP has delegated the task of authentication to somebody else; the Identity Provider (IdP)/Security token Service (STS). The RP trusts the IdP/STS. In the Windows world an RP is often an IIS server with the Windows Identity Foundation (WIF) framework installed.
    • Identity Provider (IdP)
      A secure storage of identity information that also provides authentication mechanisms, allowing a Security Token Service (STS) to use it to authenticate. Active Directory is ADFS’ IdP.
    • Security Token Service (STS)
      A service that receives authentication requests from clients, authenticates them via its configured IdP, and issues tokens to clients, to be used at the RP.
    • Trust
      A relationship between the RP and the IdP/STS established with digital certificates whereby the RP trusts the IdP/STS.

    A browser cannot emit web service requests, i.e. it cannot talk SOAP, so it uses something called the WS-Federation Passive Requestor Profile (PRP). WS-Federation is an extension to the WS-Trust specification that allows requestors that cannot talk SOAP to still exchange security information (tokens). They do this by being passive, meaning they rely on the RP and IdP to tell them what to do.

    An implementation of this can look like this:

    image

    This is what happens when the passive requestor profile is used to obtain access to a resource:

    1. The requestor contacts the resource asking for access. The resource is the RP.
    2. The RP know the requestor’s security realm so it sends an HTTP redirect instructing the requestor to authenticate at its own realm.
    3. The requestor follows the redirect to its own realm where it is authenticated by its IdP/STS.
    4. In the request for authentication the requestor has included the URI of the resource it wants to access to. After the IdP/STS has authenticated the requestor, it sends another HTTP redirect back to the original resource. Included with the redirect is also a token, possession of which assures that the user has been authenticated.
    5. The requestor follows the redirect back to the original resource supplying the token and gains access to the resource.

    The most important thing to note here is that when using the Passive Requestor Profile the RP and IdP/STS never need to communicate directly. It is only the requestor that needs to talk to all the involved parties.

    Usually the RP is also an IdP/STS. In the case of Windows Azure Active Directory and federation with an on-premise Windows Server Active Directory the WAAD IdP/STS trusts your on-premise IdP/STS. This allows a single trust to be established. If not each RP would have to maintain its own trust with the IdP/STS.

    So now that we know how the Passive Requestor Profile works how would this impact my customer’s request to only allow Microsoft’s STS to talk to its ADFS servers?

    Security

    Answer is that it would break it and no one would be able to access any resource in the Microsoft cloud. As we have seen it is not the WAAD STS that communicates with on-premise ADFS, or the other way around, it is the requestors, i.e. the clients. So restricting access would deny every client access to on-premise ADFS, and thus any resource they want to access. Don’t do that.

    Other stuff and more info

    The customer had actually started working on this “security improvement” before I got involved and had already discovered IPs they needed to allow. For the curious, the name of the Microsoft STS is login.microsoftonline.com, which is a CNAME that resolves to the A record login.microsoftonline.com.nsatc.net. The A record has several records (I do not know if this is a complete list):

    • 157.56.53.213
    • 157.56.58.13

    To restrict access and always use least privilege is a very good idea, in this case it just backfired because how the system works was not known.

    If you want to know more about WS-*, ADFS etc., you can have a look at these resources:

    Be secure!