Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-07-19) Required Claims/Permissions To Join An ADFS Proxy To The ADFS Federation Service

Posted by Jorge on 2013-07-19


In this blog post I explain how to install and configure the ADFS Proxy server in ADFS v2.0 (this may also apply to later ADFS versions). When joining the ADFS Proxy server to the federation service you need credentials to achieve that. If you are using the default configuration, you can either use the ADFS service account credentials or some AD user account that has local administrator equivalent permissions. With regards to the default configuration I’m focusing on the “AddProxyAuthorizationRules” in the federation service (Figure 1) and the “Acceptance Transform Rules” in the Active Directory Claims Provider trust (Figure 2).

SNAGHTML1266c42d

Figure 1: The Default ‘AddProxyAuthorizationRules’ In The Federation Service

-

The ‘AddProxyAuthorizationRules’ in the federation service determine which claims are required to be authorized to join an ADFS Proxy server to the federation. You could even consider the ‘AddProxyAuthorizationRules’ to be the Issuance Authorization Rules of a special internal relying party trust.

image79

Figure 2: Default List Of Acceptance Transform Rules For The Default Claims Provider Trust (AD) In ADFS v2.0

-

The ‘Acceptance Transform Rules’ are the rules that determine the claims in the security token for the federation service itself after processing the claims in the incoming/received security token from a downstream STS.

-

In this blog post I explain the bare minimum required claims rules in the Active Directory Claims Provider trust to be able to use ADFS at all as a security token service (STS).

-

Now based upon those minimum required claims rules in the Active Directory Claims Provider trust lets try to join an ADFS Proxy server to the federation service!

-

If you want to join the ADFS Proxy server to the federation service through the command line you can use the following steps:

  • Open a Command Prompt window
  • Navigate to “C:\Program Files\Active Directory Federation Services 2.0”
  • Type And Execute: START /WAIT FSPCONFIGWIZARD.EXE /HostName <Federation Service FQDN> /UserName <Federation Service Service Account> /Password <Federation Service Service Account Password>

-

After starting the federation service proxy wizard, you will see the following screen.

image

Figure 3: The “Welcome” Screen Of The Federation Service Proxy Wizard

-

After clicking “Next >” you will see the following screen.

image

Figure 4: The “Specify Federation Service Name” Screen Of The Federation Service Proxy Wizard

-

After specifying the FQDN of the federation service and clicking “Test Connection” you will most likely see the same message stating that connection was successful. Click “OK”. After clicking “Next >” you will see the following screen.

image

Figure 5: The “Enter  Credentials” Screen Of The Federation Service Proxy Wizard

-

After specifying credentials that have local administrator equivalent permissions on the STS servers and clicking “OK” you may see the following screen.

image

Figure 6: The Error That Mentions You Do Not Have The Correct Credentials To Perform The Join Operation

-

Hey, wazzup!?

-

Let’s try to analyze this!

-

If you start the Event Viewer MMC on the ADFS Proxy server and navigate to the Event Log ADFS 2.0 Admin Event Log (Event Viewer –> Applications And Services Log –> AD FS 2.0 –> Admin) you will see something similar to…

image

Figure 7: An “Access Denied” Error On The ADFS Proxy server

-

If you start the Event Viewer MMC on the ADFS STS server and navigate to the Event Log Security Event Log (Event Viewer –> Windows Logs) you will see something similar if you have auditing configured (see this blog post) (it may look different if you have more claims rules being processed in the Acceptance Transform Rules of the Active Directory Claims Provider trust!)…

image

Figure 8: An “Access Denied” Error On The ADFS STS server

-

image

Figure 9: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id a2e78f87-a14a-4d28-8086-fd4e12aceeae. There may be more events with the same instance id with more information.

Instance id:
a2e78f87-a14a-4d28-8086-fd4e12aceeae
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
S-1-5-21-1302963225-1802291915-4189581584-500
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2013-07-18T23:00:39.506Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

-

So, the conclusion here is that we are missing claims to be authorized to join the ADFS Proxy Server to the federation service.

If you look at figure 1 you will see three claims rules exist for the “AddProxyAuthorizationRules”, being:

  1. Permit join if the security token contains a groupsid claim with value “S-1-5-32-544” (which equals to the local administrators group)
  2. Permit join if the security token contains the primarysid of the ADFS service account (assuming it equals to “isProxyTrustManagerSid”)
  3. Permit join if….(can understand this one unfortunately)

-

Hey that’s strange! The AD user account I’m using is a local administrator on the ADFS STS server and still I cannot join the ADFS Proxy server. I did not change the default “AddProxyAuthorizationRules”, but I did change the default Acceptance Transform Rules Of The Active Directory Claims Provider Trust to have the bare minimal claims rules.

So based upon this analysis it looks that my required groupsid claim is not included in the security token as shown in figure 9.

Therefore, to be able to use an AD user account with local administrator equivalent permissions on the ADFS STS servers you MUST have the following claims rule in place in addition to the bare minimum claims rules.

image

Figure 10: The Claims Rule In The Active Directory Claims Provider Trust Acceptance Transform Rules That Passes-Through The Group SIDs

-

More Details:

@RuleTemplate = "PassThroughClaims"

@RuleName = "Pass through all Group SID claims"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid&quot;, Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]

=> issue(claim = c);

-

So after adding this claims rule to the Active Directory Claims Provider Trust Acceptance Transform Rules I retried the join of the ADFS Proxy server to the federation service and now it succeeded!

image

Figure 11: The “Ready To Apply Settings” Screen Confirming The Credentials Were Validated And Correct

-

image

Figure 12: The Event In The ADFS 2.0/Admin Event Log Acknowledging The Establishment Of The Federation Trust

-

image

Figure 13: An Event In The Security Event Log Of The ADFS STS Server Stating A Security Token Was Successfully Issued

-

image

Figure 14: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id: 
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 

Issued identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid
3949416d-2770-46e6-8109-c70d929c2abf
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2013-07-18T23:45:12.790Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
-

image

Figure 15: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
ADCORP\ADM.ROOT
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
S-1-5-21-1302963225-1802291915-4189581584-500
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
S-1-5-21-1302963225-1802291915-4189581584-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-1-0
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-544
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-545
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-554
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-574
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid

S-1-5-2

image

Figure 16: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-11
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-15
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1908
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1911
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1913
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-520
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1916
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1915
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1706
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1909

image

Figure 17: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1910
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-512
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1912
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1914
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1231
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1243
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1340
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1346
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1240

image

Figure 18: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1241
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1677
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1343
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1338
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1345
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1242
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1232
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1230
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1344
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1235

image

Figure 19: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1341
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1348
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1347
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1350
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1342
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1237
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-518
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1938
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1239
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1339

image

Figure 20: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

-

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1234
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-519
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1236
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1349
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1238
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-572
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1886
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1889
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
/adfs/services/trust/proxytrustprovisionusername
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
ADCORP\ADM.ROOT

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: