Difference between revisions of "Windows Federated Services"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
(16 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
*Have a dedicated service account created in AD. | *Have a dedicated service account created in AD. | ||
*Firewall issues will get you if you are not careful | *Firewall issues will get you if you are not careful | ||
+ | ===Some Basic Concepts=== | ||
+ | *to be filled in | ||
+ | |||
==Enable test page== | ==Enable test page== | ||
<ref>https://blogs.technet.microsoft.com/rmilne/2017/06/20/how-to-enable-idpinitiatedsignon-page-in-ad-fs-2016/</ref>This is used to test sign in.<br> | <ref>https://blogs.technet.microsoft.com/rmilne/2017/06/20/how-to-enable-idpinitiatedsignon-page-in-ad-fs-2016/</ref>This is used to test sign in.<br> | ||
Line 16: | Line 19: | ||
==AD FS Proxy== | ==AD FS Proxy== | ||
In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me. | In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me. | ||
+ | <ref>https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383662(v=ws.11)?redirectedfrom=MSDN</ref> | ||
+ | *Please make sure that you either used an alternate name in the certificate, or you will need to add a host to the hosts file. i.e. | ||
+ | <pre> | ||
+ | $newhost='xxx.xxx.xxx sts.yourdomain.tld' | ||
+ | $newhost | Out-File -FilePath C:\Windows\System32\drivers\etc\hosts -Append -Encoding ascii | ||
+ | </pre> | ||
+ | *If you haven't, install the certificate. Copying from another server if needed. | ||
+ | <pre> | ||
+ | $mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password belowe' | ||
+ | Import-PfxCertificate -FilePath C:\sts.yourdomain.tld.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.password | ||
+ | </pre> | ||
+ | *Make sure you have the certificate thumbprint/hash as well. The following command should show this to you. | ||
+ | <pre> | ||
+ | netsh http show ssl | ||
+ | </pre> | ||
+ | <pre> | ||
+ | Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools | ||
+ | Install-WebApplicationProxy -FederationServiceName "sts.yourdomain.tld" -FederationServiceTrustCredential $FScredential -CertificateThumbprint "0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d" | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===Manage using headless server=== | ||
+ | This does not work | ||
*To manage the headless server using Server Manager | *To manage the headless server using Server Manager | ||
**Give the server a fqdn and manually add the DNS entry. | **Give the server a fqdn and manually add the DNS entry. | ||
− | **Add the server to the trusted hosts for management<ref>https://www.jorgebernhardt.com/how-to-managing-non-domain-joined-server-using-server-manager/</ | + | **Add the server to the trusted hosts for management<ref>https://www.jorgebernhardt.com/how-to-managing-non-domain-joined-server-using-server-manager/</ref> |
Note : If your trusted hosts entry is empty, then just use the set-item command without the currentlist variable. | Note : If your trusted hosts entry is empty, then just use the set-item command without the currentlist variable. | ||
<pre> | <pre> | ||
Line 24: | Line 53: | ||
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server03.Domain.local, $CurrentList" | Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server03.Domain.local, $CurrentList" | ||
</pre> | </pre> | ||
+ | *On the target computer, allow elevated remote sessions. | ||
+ | <pre> | ||
+ | New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1 | ||
+ | </pre> | ||
+ | |||
+ | ==Hardening== | ||
+ | <ref>https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs</ref> The reference from Microsoft is rather vague. It looks like these settings can be applied to either the proxy or the internal server. Testing is needed as I am unable to find the ADFS powershell modules on a clean install of a WAP. I assume you would need to install the ADFS package, but this would defeat the purpose. For now the following is being performed on the internal server. | ||
+ | *Enforce ExtendedProtectionTokenCheck <ref>https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps</ref> | ||
+ | <pre> | ||
+ | set-adfsproperties -ExtendedProtectionTokenCheck Require | ||
+ | </pre> | ||
+ | *Disable unneeded and vulnerable endpoints<ref>https://dirteam.com/sander/2019/08/06/howto-disable-unnecessary-ad-fs-endpoints/</ref>. The following are recommended based on what I have read. | ||
+ | <pre> | ||
+ | Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport -Proxy $false | ||
+ | Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport -Proxy $false | ||
+ | </pre> | ||
+ | I disabled these because they are of "Authentication Type" Password. | ||
+ | <pre> | ||
+ | Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/usernamemixed -Proxy $false | ||
+ | Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/usernamemixed -Proxy $false | ||
+ | </pre> | ||
+ | *Set time outs and softlock<ref>https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection</ref> | ||
+ | <pre> | ||
+ | Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 2 -ExtranetObservationWindow (new-timespan -Minutes 30) | ||
+ | </pre> | ||
+ | ==Enable Relay States== | ||
+ | Ignore what most of Google tells you, just use powershell<ref>https://github.com/awsdocs/aws-management-portal-for-vcenter-user-guide/issues/1</ref> | ||
+ | <pre> | ||
+ | Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true | ||
+ | </pre> | ||
+ | *To obtain the relay state, you can use an online tool<ref>https://jackstromberg.com/adfs-relay-state-generator/</ref> or simply url encode the variables in the following format. | ||
+ | <pre>https://your.domain.tld/adfs/ls/IdpInitiatedSignOn?RelayState=RPID%3Dhttps%253A%252F%252Frelyingendpoint.tld%26RelayState%3Dhttps%253A%252F%252Frelaystate.tld</pre> | ||
+ | Or broken into it's parts<br> | ||
+ | BaseURL : | ||
+ | <pre>https://your.domain.tld/adfs/ls/IdpInitiatedSignOn?RelayState=RPID%3D</pre> | ||
+ | Relying Endpoint : | ||
+ | <pre>https%253A%252F%252Frelyingendpoint.tld</pre> | ||
+ | Relay State URL : | ||
+ | <pre>%3Dhttps%253A%252F%252Frelaystate.tld</pre> |
Latest revision as of 13:59, 4 March 2020
Contents
General Notes
This service is easy enough to get up and running using server manager. In my case I have Server 2016 Core running in AWS on a private subnet.
You do need to ensure you have the following
- A certificate for the publicly accessible fqdn. i.e. sts.yourdomain.tld. This does NOT need to match your internal domain.
- A CSR can be created using Windows MMC[1] and is easy to do.
- Make sure to import the acquired cert back into the same system that created the CSR, then export the whole thing with key.
- Have a dedicated service account created in AD.
- Firewall issues will get you if you are not careful
Some Basic Concepts
- to be filled in
Enable test page
[2]This is used to test sign in.
I was able to log in from both the native domain as well as a trusted domain without further configuration.
Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
Then go to https://sts.yourdomain.tld/adfs/ls/idpinitiatedsignon.htm
AD FS Proxy
In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me. [3]
- Please make sure that you either used an alternate name in the certificate, or you will need to add a host to the hosts file. i.e.
$newhost='xxx.xxx.xxx sts.yourdomain.tld' $newhost | Out-File -FilePath C:\Windows\System32\drivers\etc\hosts -Append -Encoding ascii
- If you haven't, install the certificate. Copying from another server if needed.
$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password belowe' Import-PfxCertificate -FilePath C:\sts.yourdomain.tld.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.password
- Make sure you have the certificate thumbprint/hash as well. The following command should show this to you.
netsh http show ssl
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools Install-WebApplicationProxy -FederationServiceName "sts.yourdomain.tld" -FederationServiceTrustCredential $FScredential -CertificateThumbprint "0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d"
Manage using headless server
This does not work
- To manage the headless server using Server Manager
- Give the server a fqdn and manually add the DNS entry.
- Add the server to the trusted hosts for management[4]
Note : If your trusted hosts entry is empty, then just use the set-item command without the currentlist variable.
$CurrentList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server03.Domain.local, $CurrentList"
- On the target computer, allow elevated remote sessions.
New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
Hardening
[5] The reference from Microsoft is rather vague. It looks like these settings can be applied to either the proxy or the internal server. Testing is needed as I am unable to find the ADFS powershell modules on a clean install of a WAP. I assume you would need to install the ADFS package, but this would defeat the purpose. For now the following is being performed on the internal server.
- Enforce ExtendedProtectionTokenCheck [6]
set-adfsproperties -ExtendedProtectionTokenCheck Require
- Disable unneeded and vulnerable endpoints[7]. The following are recommended based on what I have read.
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport -Proxy $false Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport -Proxy $false
I disabled these because they are of "Authentication Type" Password.
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/usernamemixed -Proxy $false Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/usernamemixed -Proxy $false
- Set time outs and softlock[8]
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 2 -ExtranetObservationWindow (new-timespan -Minutes 30)
Enable Relay States
Ignore what most of Google tells you, just use powershell[9]
Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true
- To obtain the relay state, you can use an online tool[10] or simply url encode the variables in the following format.
https://your.domain.tld/adfs/ls/IdpInitiatedSignOn?RelayState=RPID%3Dhttps%253A%252F%252Frelyingendpoint.tld%26RelayState%3Dhttps%253A%252F%252Frelaystate.tld
Or broken into it's parts
BaseURL :
https://your.domain.tld/adfs/ls/IdpInitiatedSignOn?RelayState=RPID%3D
Relying Endpoint :
https%253A%252F%252Frelyingendpoint.tld
Relay State URL :
%3Dhttps%253A%252F%252Frelaystate.tld
- ↑ https://knowledge.digicert.com/solution/SO29005.html
- ↑ https://blogs.technet.microsoft.com/rmilne/2017/06/20/how-to-enable-idpinitiatedsignon-page-in-ad-fs-2016/
- ↑ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383662(v=ws.11)?redirectedfrom=MSDN
- ↑ https://www.jorgebernhardt.com/how-to-managing-non-domain-joined-server-using-server-manager/
- ↑ https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
- ↑ https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps
- ↑ https://dirteam.com/sander/2019/08/06/howto-disable-unnecessary-ad-fs-endpoints/
- ↑ https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection
- ↑ https://github.com/awsdocs/aws-management-portal-for-vcenter-user-guide/issues/1
- ↑ https://jackstromberg.com/adfs-relay-state-generator/