(2015-10-10) Certificate Chain Validation And Revocation Status Checking In ADFS
Posted by Jorge on 2015-10-10
Within ADFS federation trusts can be configured with one or more Token Signing certificates and/or one Token Encryption certification. More information about certificates used in ADFS can be found through the following blog post (2013-05-13) Certificates Used In Active Directory Federation Services (ADFS) v2.x (also applies to ADFS v3 and ADFS v4!).
For every certificate used, certificate chain validation is done if the certificate was issued by a CA. It does not apply to self-signed certificates as there is no chain. For CA issued certificates, certificate chain validation is performed online through the URL(s) specified in the AIA extension of the certificate, or offline if the certificates in the chain of the certificate are configured in the Local Machine stores for Root CAs and Intermediate CAs.
Figure 1: The Authority Information Access (AIA) Extension Of A CA Issued Certificate
In addition, the revocation status of the certificate is checked through the URL(s) specified in the CDP extension of the certificate and/or the AIA extension of the certificate when OCSP is being used. This of course only applies to any certificate issued by a certificate authority. It does not apply to self-signed certificates.
Figure 2: The CRL Distribution Points (CDP) Extension Of A CA Issued Certificate
Revocation status checking of a certificate used in a particular federation trust (Claims Provider Trust or Relying Party Trust) depends on the setting configured for the certificate type used by the trust (e.g. Token Signing and/or Token Encryption). Both the Token Signing certificate and the Token Encryption certificate have their own revocation status checking setting, and both support the following settings:
- CheckChain –> Check online revocation status for every certificate that is part of the certificate chain
- CheckChainCacheOnly –> Check offline revocation status for every certificate that is part of the certificate chain
- CheckChainExcludeRoot (DEFAULT) –> Check online revocation status for every certificate that is part of the certificate chain, except for the certificate of the root CA
- CheckChainExcludeRootCacheOnly –> Check offline revocation status for every certificate that is part of the certificate chain, except for the certificate of the root CA
- CheckEndCert –> Check online revocation status for only the end certificate being used
- CheckEndCertCacheOnly –> Check offline revocation status for only the end certificate being used
- None –> Do not perform any (online or offline) revocation status checking
Certificate chain validation can be done either offline or online, and that also applies certificate revocation status checking. For certificate revocation status checking, either being performed online or offline, access to the CRL distribution points is still required.
Certificate chain validation checks the validity of the complete chain. Certificate revocation status checking checks for the revocation status of the certificates used, depending on the configured settings. It is also possible to fully disable certificate revocation status checking. But think again! You are relying on (third-party) certificates to increase the assurance of the certificates being used in some federation trusts, therefore checking the revocation status is a good idea! When disabling it or weakening it, the purpose of using certificates is defeated. So, why would you still disable certificate revocation status checking? Let me guess, the ADFS server(s) do not have any external network (e.g. internet) connectivity and can therefore not access the CRL distribution points. Remember that the federation ecosystem heavily depends on certificates, and that checking the validity of those certificates is of utmost importance. There *I* would prefer to have the ADFS servers accessing the internet to check certificate revocation lists. Any risk mitigation actions available to protect the ADFS from malicious web sites? Yes, there is and that’s for the next blog post!
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########