Jun 6, 2012 6:46:35 AM
ADFS with Non-Standard HTTPS Port

Recently, CSS was requested by a client to implement an AD FS 2.0 (ADFS) federation solution to meet a very unique security requirement associated with scenarios of external access to internally hosted services.

  • Security Requirement- The client’s firewall policy does NOT allow network traffic on TCP port 443 from the DMZ to the internal network. All HTTPS traffic must use alternative ports from the DMZ to the internal network. This means that the ADFS proxy server in the DMZ could not use the standard HTTPS TCP port 443 for communication with the ADFS federation server in the internal network.
  • Proposed Solutions- Generally, there are two solutions to meet this security requirement while also meeting ADFS requirements.

For additional information about related ADFS requirements, please refer to: Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy http://technet.microsoft.com/en-us/library/hh852618(v=ws.10).aspx

The first solution is to have network devices handle port mapping exclusively without changing ports on ADFS proxy server and ADFS server. In other words, all ADFS participating components are still using standard HTTPS 443 port as usual.

The following diagram shows the logical view of the first solution:

We have successfully deployed this solution in the client production environment. However, this solution depends on how specific network devices handle port mapping, we won’t go into that here, but instead show an alternative solution.

The second solution is to leverage an out of the box (OOTB) ADFS proxy server configuration option which is to use an “HTTP proxy server” when sending requests to ADFS server.

The following diagram shows the logical view of the second solution:

The following diagram shows the configuration option of ADFS proxy server:

In this solution we configure the ADFS proxy server to “Use an HTTP proxy server when sending requests to this Federation Service." An alternative port (e.g. 8080) can then be specified to reach an HTTP Proxy server in the internal network.

For additional information, please refer to: Configure a Computer for the Federation Server Proxy Role: http://technet.microsoft.com/en-us/library/dd807067(v=ws.10).aspx

Suggested Configuration Procedures to validate this second solution in your environment include:

  • Install a network “sniffer”, for example WireShark (http://www.wireshark.org/), that can see the traffic from the ADFS proxy towards the internal network. Use this to gather the request and response messages during the configuration process.
  • Before configuring ADFS proxy server with the HTTP proxy server option, directly configure internet explorer (IE) on the ADFS proxy to use the HTTP proxy server:

On ADFS proxy server, configure IE to use a proxy:

IE > tools > internet options > [connections] > LAN Settings > Proxy server > [advanced]

Use IE to request federation metadata from ADFS server (https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml ) to validate proper operation and that no SSL certificate warnings are produced.

To see more details of the traffic out of the ADFS proxy you can use a local proxy that is capable of decrypting HTTPS, such as Fiddler (http://www.fiddler2.com/). Using this tool you can observe the HTTP flow from both IE and the ADFS proxy itself.

Be sure to enable the tool to connect to the HTTP proxy, in Fiddler this is accomplished using the “chain to upstream gateway” option.

Fiddler > tools > fiddler options > Connections > [x] chain to upstream gateway

You will normally also need to disable Channel Binding on ADFS Server for authentication to succeed.

The HTTP proxy component behaves like a “man in the middle” in AD FS 2.0 deployments. IIS on the AD FS 2.0 server automatically protects against man in the middle attacks using a Channel Binding Token (CBT).

For additional information on CBT and Extended Protection for Authentication, please refer to: Forefront UAG and AD FS 2.0 supported scenarios and prerequisites http://technet.microsoft.com/en-us/library/gg470578.aspx

Configuring Advanced Options for AD FS 2.0 http://technet.microsoft.com/en-us/library/hh237448%28WS.10%29.aspx

  • Additional Tech Notes

When decoding the SSL session with Fiddler one should be able to trace the federation flow by observing the clear text message via Fiddler.

Example 1:

The ADFS proxy server collects the user credentials by presenting the login page. Once the user submits the credentials, the ADFS proxy server requests a security token on behalf of a user by making a web service HTTP POST call to the ADFS server. Along with the request, the ADFS proxy server inserts the collected credentials in the Username Token element in the SOAP message below:

POST https://adserver.jacob.com/adfs/services/trust/proxytrust HTTP/1.1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<s:Header> ....

<s:Body>

<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">

<ReplyTo xmlns="http://schemas.microsoft.com/ws/2008/06/identity" />

<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">

<wsa:Address>microsoft:identityserver:http://adfs.example.com/adfs/services/trust</wsa:Address>

</wsa:EndpointReference>

</wsp:AppliesTo>

<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>

<t:OnBehalfOf>

<UsernameToken u:Id="uuid-6cdb82dc-1b05-45e6-8b6b-d17c5bbf123c-26" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<Username>jakec</Username>

<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">mypassword</Password>

</UsernameToken>

</t:OnBehalfOf>

<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>

<t:TokenType>http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation</t:TokenType>

<ActivityId xmlns="http://schemas.microsoft.com/ws/2009/12/identityserver/">355bd888-cb90-4367-8428-1cc473c6b717</ActivityId>

<MSISSession xmlns="http://schemas.microsoft.com/ws/2009/12/identityserver/">

<WsFederationData />

</MSISSession>

</t:RequestSecurityToken>

</s:Body>

</s:Envelope>

Example 2:

With a SAML 2.0 access scenario, the ADFS proxy server receives SAML authentication request then makes a web service HTTP POST call to the ADFS server. Along with the request, the ADFS proxy server will insert the SAML authentication request in the SOAP message as below:

POST https://adserver.jacob.com/adfs/services/trust/samlprotocol/proxytrust HTTP/1.1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<s:Header> ....

<s:Body>

<msis:IssueRequest xmlns:msis="http://schemas.microsoft.com/ws/2009/12/identityserver/samlprotocol/">

<msis:ActivityId>355bd888-cb90-4367-8428-1cc473c6b717</msis:ActivityId>

<msis:Message>

<msis:BaseUri>https://adfs.example.com:443/adfs/ls/</msis:BaseUri>

<msis:SAMLRequest>fVcxTsMwFNz7FZb3xnaDG/…/H1R9wU=</msis:SAMLRequest>

<msis:RedirectBindingInformation>

<msis:RelayState>7fddabbeb1eda2be86416de69fbc8780c23809e3</msis:RelayState>

<msis:Signature>…./ocz7JZZnAloxjpFhFCKM6MbY3io=</msis:Signature>

<msis:SigAlg>http://www.w3.org/2000/09/xmldsig#rsa-sha1</msis:SigAlg>

<msis:QueryStringHash>c/8gJhcw98xYY+D/yQa5RU4KwXQ=</msis:QueryStringHash>

</msis:RedirectBindingInformation>

</msis:Message>

<msis:OnBehalfOf>

<SecurityContextToken u:Id="_4ba3e1a4-cd96-470a-aa64-2d7c8431c3e3-BE4548F70EA0675E553AD9904F63C39F" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">

<Identifier>urn:uuid:91d45e23-508c-409e-a04a-c40f8d696c60</Identifier>

<Instance>urn:uuid:54c1ae12-492e-48e9-8b59-db8d4031d6c5</Instance>

<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">sc7Wn1l1ylzr18EQM2WgK2uvztHbSB....3nIuRCbXowdPRaDU9stlXKNfA99vD</Cookie>

</SecurityContextToken>

</msis:OnBehalfOf>

<msis:SessionState />

</msis:IssueRequest>

</s:Body>

</s:Envelope>