Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-05-15) Configuring Windows Integrated AuthN For Firefox Against ADFS v3.0 And Higher

Posted by Jorge on 2015-05-15


ADFS by default supports multiple authentication mechanisms, being certificate authentication, forms based authentication (FBA) and Windows Integrated Authentication (WIA). For non-domain joined clients or clients on the extranet, FBA is the best option. For domain-joined client on the intranet, WIA is the best option to use. In the last scenario WIA delivers the best SSO experience for the user. To support WIA, the backend, the client and the ADFS server(s) must be configured to support WIA.

[1] To support WIA on the backend the following must be true:

  • The ADFS service account must be configured with a service principal name "HOST/<Federation Service FQDN>" (e.g. HOST/FS.COMPANY.COM)

[2] To support WIA on the client/browser the following must be true:

  • The browser must support JavaScript and have it enabled–> For Firefox this is enabled by default. However, if you have installed the privacy extension "NoScript", then you need to either:
    • Enable it globally within the privacy extension "NoScript"
      • Start Firefox
      • Click the "NoScript" button
      • Select "Allow Scripts Globally"
      • Click "OK"
    • Enable it specifically for the Federation Service FQDN and any other FQDN requiring it
      • Start Firefox
      • Click the "NoScript" button
      • Select "Options"
      • Click the "Whitelist" tab
      • Specify the Federation Service FQDN and click "Allow"
      • Click "OK"
  • The browser must support and enable the use of cookies –> For Firefox this is enabled by default. However, if you have disabled the use of cookies, you can follow the next steps to re-enable it:
    • Enable it globally
      • Start Firefox
      • Click the "Firefox Menu" button (icon with 3 stacked horizontal lines)
      • Click the "Options" button
      • Click the "Privacy" panel
      • Check "Accept cookies from sites"
      • Click "OK"
    • Enable it specifically for the Federation Service FQDN and any other FQDN requiring it
      • Start Firefox
      • Click the "Firefox Menu" button (icon with 3 stacked horizontal lines)
      • Click the "Options" button
      • Click the "Privacy" panel
      • Click the "Exceptions" button
      • Specify the Federation Service FQDN and click "Allow"
      • Click "Close"
      • Click "OK"
  • WIA is enabled in the browser for the federation service FQDN –> For Firefox this is disabled by default for any FQDN. However, if you have it disabled follow the next steps to enable it for specific FQDNs (in this case the federation service FQDN must be trusted):
    • Start Firefox
    • As a URL type "about:config"
    • Click the "I’ll be careful, I promise!" button
    • As a Search type "network.negotiate-auth.trusted-uris"
    • Double-click on the line "network.negotiate-auth.trusted-uris"
    • Specify the Federation Service FQDN, or a comma separated list and click "OK"
    • Double-click on the line "network.automatic-ntlm-auth.trusted-uris"
    • Specify the Federation Service FQDN, or a comma separated list and click "OK"

[3] To support WIA against the ADFS STS server(s) the following must be true:

  • WIA must be enabled as an authentication method on the intranet
  • The user agent of the browser must be known to ADFS. By default ADFS v3.0 and higher, the following user agent strings are supported (retrieved through "(Get-AdfsProperties).WIASupportedUserAgents")
    • MSAuthHost/1.0/In-Domain <– ADFS v4.0 and higher
    • MSIE 6.0 <– ADFS v3.0 and higher
    • MSIE 7.0 <– ADFS v3.0 and higher
    • MSIE 8.0 <– ADFS v3.0 and higher
    • MSIE 9.0 <– ADFS v3.0 and higher
    • MSIE 10.0 <– ADFS v3.0 and higher
    • Trident/7.0 <– ADFS v3.0 and higher
    • MSIPC <– ADFS v3.0 and higher
    • Windows Rights Management Client <– ADFS v3.0 and higher
    • MS_WorkFoldersClient <– ADFS v4.0 and higher
  • You may need to disable extended protection in ADFS if you still keep being prompted for credentials while configured all of the above. I was able to use Firefox v37.0 and v42.0 and WIA without disabling extended protection
    REMARK: "ExtendedProtectionTokenCheck" –> Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client’s credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients.

    Possible values for this setting are: as follows "Require" (server is full hardened, extended protection is enforced), "Allow" (server is partially hardened, extended protection is enforced where systems involved have been patched to support it) and "None" (Server is vulnerable, extended protection is not enforced). The default setting is "Allow". If lowering this protection is not acceptable, then use Forms-Based Authentication!

    • To disable ExtendedProtectionCheck on the ADFS server execute on the (primary) ADFS server: Set-AdfsProperties -ExtendedProtectionTokenCheck None
    • On every ADFS farm member, restart the ADFS service: Restart-Service ADFSSRV

So how do you know the state of your browser? Check it out yourself and just navigate to the website What’s My User Agent?

In my case the browser I was using, Firefox v37.0, provide the shown user agent string and the yellow marked part did not match what already was configured in ADFS

SNAGHTMLa8467bc

Figure 1: The User Agent String And Status Of Firefox 37.0

The following is an analysis of the provided user agent string

image

Figure 2: Analysis Of The Provided User Agent String

So, for Firefox you need to meet the prerequisites as mentioned in [1], [2] and [3].

To configure a new supported user agent string in ADFS, while taking the existing user agent strings into account, use the following PowerShell commands on (primary) ADFS server:

Import-Module ADFS

Set-ADFSProperties -WIASupportedUserAgents $((Get-ADFSProperties).WIASupportedUserAgents + "<Required User Agent String>")

In this case the command is:

Import-Module ADFS

Set-ADFSProperties -WIASupportedUserAgents $((Get-ADFSProperties).WIASupportedUserAgents + "Mozilla/5.0")

That’s it! You should now be able to use Firefox and experience seamless SSO!

For other user agent strings also see:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2015-05-15) Configuring Windows Integrated AuthN For Firefox Against ADFS v3.0 And Higher”

  1. […] (2015-05-15) Configuring Windows Integrated AuthN For Firefox Against ADFS v3.0 And Higher […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: