Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v2.0

Posted by Jorge on 2011-09-13


Right after installing ADFS v2.0, by default it will have ONE Claims Provider Trust configuration for AD as the one and only supported authentication store. ADFS v2.0 does not support any other authentication store besides AD. That Claims Provider Trust will also be configure with a default set of Acceptance Transform Rules as shown below in the picture.

image

Figure 1: Default List Of Acceptance Transform Rules For The Default Claims Provider Trust (AD) In ADFS v2.0

It is of course possible to adjust the default set of Acceptance Transform Rules by removing existing default rules and/or adding your own required rules. Assuming you would do such a thing, you could for example replace the default set of Acceptance Transform Rules, with the Acceptance Transform Rules as shown below. If you look carefully I removed the default Acceptance Transform Rules and put in my own Acceptance Transform Rules.

image

Figure 2: Custom List Of Acceptance Transform Rules For The Default Claims Provider Trust (AD) In ADFS v2.0

If I now try to access a Claims Based Sharepoint site that I created and configured on Sharepoint 2010, you would see something similar to what you would see below.

The default Home Realm Discovery window with the drop down list. The logo you see is something that I configured. I  get to this screen because I have multiple Claims Provider Trusts configured, one for the default authentication store being AD and one for an IdP-STS at some other organization.

image

Figure 3: The Default Home Realm Discovery Web Page In ADFS v2.0 Using A Drop Down List With The Configured Claims Provider Trusts (a.k.a. Identity Providers)

After selecting the one you see, which represents in this case the Claims Provider Trust for AD, and clicking “Continue To Sign In”, you will see something similar to the sign-in page for which I already filled in some credentials:

image

Figure 4: The Default Sign-In Web Page In ADFS v2.0 To Collect Credentials For Authentication

After clicking “Sign In”, you will see something similar to:

image

Figure 5: Some Error Stating Something Went Wrong

After errors like this, the next step is to check the ADFS Event Logs. Let’s try the Admin log first!

You should see something similar like:

Event ID 323…

image

Figure 6: Event ID 323 In the ADFS v2.0 Admin Event Log Stating It Could Not Authorize The Issuance Of A Security Token To The Requestor

The Federation Service could  not authorize token issuance for the caller ” on behalf of the subject ‘ADM.ROOT
‘ to the relying party ‘urn:app:sharepointclaimsapp’. Please see event 501 with the same instance id for caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.

Additional Data
Instance id: ed68adf5-0e12-419e-8092-7cf071a80531
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity  and delegate  for relying party trust urn:app:sharepointclaimsapp.
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use Windows PowerShell comments for AD FS 2.0 to ensure that the caller is authorized on behalf of the subject to the relying party.

And…

Event ID 501

image

Figure 7: Event ID 501 In the ADFS v2.0 Admin Event Log Stating The Caller Identity Requesting A Security Token With Claims From ADFS

More information for the event entry with instance id ed68adf5-0e12-419e-8092-7cf071a80531. There may be more events with the same instance id with more information.

Instance id:
ed68adf5-0e12-419e-8092-7cf071a80531
 
Caller identity:
http://temp.org/company
ADCORP.LAB
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows

http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2011-09-12T21:05:54.416Z

And…

Event ID 502

image

Figure 8: Event ID 502 In the ADFS v2.0 Admin Event Log Stating Part Of The Claims That Were Extracted From AD

More information for the event entry with instance id ed68adf5-0e12-419e-8092-7cf071a80531. There may be more events with the same instance id with more information.

Instance id:
ed68adf5-0e12-419e-8092-7cf071a80531
 
OnBehalfOf identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2011-09-12T21:05:54.058Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppTokenViewer
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppTokenContributor
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppTokenOwner
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppClaimsViewer
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppClaimsContributor
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppClaimsOwner
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
ADM.ROOT@ADCORP.LAB
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
ADM.ROOT@ADCORP.LAB

And…

Event ID 502

image

Figure 9: Event ID 502 In the ADFS v2.0 Admin Event Log Stating Part Of The Claims That Were Extracted From AD

More information for the event entry with instance id ed68adf5-0e12-419e-8092-7cf071a80531. There may be more events with the same instance id with more information.

Instance id:
ed68adf5-0e12-419e-8092-7cf071a80531
 
OnBehalfOf identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2011-09-12T21:05:54.058Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppTokenViewer
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppTokenContributor
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
ROLE_adcorp.app.ADFSAppTokenOwner

And…

Event ID 364

image

Figure 10: Event ID 364 In the ADFS v2.0 Admin Event Log Stating An “Access Denied” For The Issuance Of The Security Token

Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> System.ServiceModel.FaultException: MSIS3126: Access denied.
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   — End of inner exception stack trace —
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

System.ServiceModel.FaultException: MSIS3126: Access denied.
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

Although figure 6, 7, 8 and 9 show that claims were extracted from AD by the STS, an “Access Denied” was given for the issuance of the security token. This simply means the caller/requestor, in this case “ADM.ROOT” does not have permission to request a security token. So, the “Access Denied” in this case is related to ADFS itself and not the application you are trying to access.

The following TechNet Wiki Page “AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust” explains how to restore the default list of Acceptance Transform Rules for the default Claims Provider Trust (AD) if it is broken and you cannot get it to work anymore. It is really easy to “restore” the default list of Acceptance Transform Rules.

However, after some testing I found out that ADFS requires AT LEAST one identifier claim that allows an authenticated user to request a security token.

image

Figure 11: The Bare Minimum Acceptance Transform Rules List Required For ADFS To Issue A Security Token

The bare minimum Acceptance Transform Rules list is shown in figure 11 and the detailed configuration is shown in figure 12.

image

Figure 12: The Configuration Of The Claim Rule To Extract The Primary SID (objectSID in AD)

Now by combining the Acceptance Transform Rules list in figure 2 and 11 you will something like:

image

Figure 13: Combination Of Acceptance Transform Rules From Figure 2 And Figure 11

Now trying to access my claims based sharepoint web site again will result in the following:

image

Figure 14: Successful Access To A Claims Based Sharepoint Web Site Hosted Sharepoint 2010 That Includes A Custom Web Part To Show The Claims Processed By Sharepoint 2010

REMARK: On the internet blog posts exist explaining how to implement the custom web part to show the claims processed by Sharepoint 2010. I will also write a blog post providing more detail than any other so that non-developers (like myself) can also try this! SO stay tuned!

So……to summarize

For even ADFS to be able to issue a security token, the Acceptance Transform Rule List Must AT LEAST have the claim rule specified as shown in figure 11!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

7 Responses to “(2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v2.0”

  1. Henrik said

    Great post!!!

  2. Monkey Tennis said

    The critical image, figure 13, is not showing up.

  3. […] (2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS … […]

  4. […] this blog post I explain the bare minimum required claims rules in the Active Directory Claims Provider trust to […]

  5. […] This post is about the bare minimum acceptance transform rules for the default claims provider trust (Active Directory) in ADFS v3.0. To read about the same topic in ADFS v2.0 see the following blogpost: (2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS … […]

  6. […] query (using the LDAP Claim Rule Template) and in ADFS v3.0 you can pass it through (see: "(2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS …" and "(2014-02-10) Bare Minimum Acceptance Transform Rules For The Default Claims […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: