Author Archive

(2013-07-12) KB Article: AD DB Becomes Corrupted When W2K12 Hyper-V Host Server Crashes

Posted by Jorge on 2013-07-12

Active Directory database becomes corrupted when a Windows Server 2012-based Hyper-V host server crashes (KB2853952)

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), KB Articles, Virtualization | 1 Comment »

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v2.x and ADFS v3.x

Posted by Jorge on 2013-07-08

As an Identity Provider (IdP) and/or as a Service Provider (SP) you might need to be able to audit the issued claims in security tokens. This might be especially true if you are the SP that both owns the application and the data within the application and you have federation trusts setup with business partners.

–

If you are using ADFS v2.x or ADFS v3.x and you need to enable the auditing of issued claims you can do that by performing the following steps:

In the ADFS Federation Service Properties enable the following event levels: Success Audits, Failure Audits. This can be achieved through:
(By default ADFS v2.x or ADFS v3.x only records error, warning and informational events)
- Using the ADFS MMC on the (primary) ADFS v2.x/v3.x STS server to configure the logged events
  
  Figure 1: The Default Federation Service Event Recording Figure 2: A Custom Federation Service Event Recording (Through GUI)
  –
  OR
- Issuing the following PowerShell commands on the (primary) ADFS v2.x/v3.x STS server (this PowerShell takes the current auditing configuration into account!):
  - For ADFS v2.0: Add-PSSnapin Microsoft.ADFS.Powershel
  - For ADFS v2.1: Import-Module ADFS
  - For ADFS v3.x: Import-Module ADFS
  - Set-ADFSProperties -LogLevel $((Get-ADFSProperties).LogLevel + "SuccessAudits" + "FailureAudits")
    
    Figure 3: A Custom Federation Service Event Recording (Through PowerShell)
    –
The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v2.x/v3.x STS server. This can be achieved through:
- Configuring the user right mentioned within the local security policy of each ADFS v2.x/v3.x STS server
  OR
- Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.x/v3.x STS server and make sure that it only applies to the ADFS v2.x/v3.x STS servers through either group filtering or WMI filtering
At a minimum you must enable successes and failures for the subcategory “Application Generated” within the category “Object Access”. This can be achieved by:
- Issuing the following command on each ADFS v2.x/v3.x STS server:
  (This applies only to W2K8 and higher)
  - TO ENABLE: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
  - TO DISABLE: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:DISABLE /SUCCESS:DISABLE
  - TO CHECK STATUS: AUDITPOL /GET /SUBCATEGORY:"Application Generated"
    OR
- Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.0 STS server and make sure that it only applies to the ADFS v2.0 STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
  (This applies only W2K8)
  OR
- Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.x/v3.x STS server and make sure that it only applies to the ADFS v2.x/v3.x STS servers through either group filtering or WMI filtering. (Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
  (This applies only W2K8 R2 and higher)

–

All the auditing events with regards to the claims issued can be found in the Security Event Log. If you expect a high churn of all kinds of auditing events in the security event log, you might need to centrally consolidate/store those events using a tool that is able to collect such information.

–

To get the events through PowerShell I used the following script:

$adfsSecurityEventDate = Get-Date "05-Jul-2013 20:17:02" -format "yyyy-MM-ddTHH:mm:ss.000000000Z"
$adfsServer = "RFSRWDC1.ADCORP.LAB"
$eventLogName = "Security"
$eventFilter = "*[System/TimeCreated[@SystemTime > '" + $adfsSecurityEventDate + "']]"
$adfsRelatedEvents = Get-WinEvent -ComputerName $adfsServer -LogName $eventLogName -FilterXPath $eventFilter
$adfsRelatedEvents | ?{$_.Id -eq "299" -Or $_.Id -eq "500" -Or $_.Id -eq "501"} | FL Id, MachineName, LogName, TimeCreated, Message

–

When auditing is enabled an EXAMPLE of what can be auditing is shown below in the pictures.

ALL of the following events show all the claims AFTER processing the “Acceptance Transform Rules” configured on the Claims Provider Trust from where the identity, and therefore the claims, originated. The claims in the security token depend on the configured claims rules on the Claims Provider Trust.

Figure 4: The Federation Service Notifying A Security Token Was Issued For The ADFS STS Itself After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 5: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 6: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 7: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 8: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 9: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 10: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 11: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 12: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 13: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 14: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 15: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 16: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 17: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 18: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 19: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 20: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 21: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 22: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 23: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 24: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 25: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 26: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 27: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 28: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 29: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 30: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 31: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 32: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 33: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 34: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

Figure 35: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

–

ALL of the following events show all the claims AFTER processing the “Issuance Transform Rules” configured on the Relying Party. The claims in the security token depend on the configured claims rules on the Relying Party Trust

Figure 36: The Federation Service Notifying A Security Token Was Issued For The Relying Party After Processing The Issuance Transform Rules On The Relying Party Trust

–

Figure 37: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

–

Figure 38: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

–

Figure 39: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

–

Figure 40: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

–

Figure 41: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Auditing | 8 Comments »

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v1.0 and ADFS v1.1

Posted by Jorge on 2013-07-08

–

If you are still using ADFS v1.x and you need to enable the auditing of issued claims you can do that by performing the following steps:

In the ADFS Trust Policy enable the following event levels: Success Audit, Failure Audit, Detailed Success, Detailed Failure
The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v1.x STS server. This can be achieved through:
- Configuring the user right mentioned within the local security policy of each ADFS v1.x STS server
  OR
- Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering
At a minimum you must enable successes and failures for the subcategory “Application Generated” within the category “Object Access”. This can be achieved by:
- Issuing the following command on each ADFS v1.x STS server: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
  (This applies only to W2K8 and higher)
  OR
- Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
  (This applies only W2K3 and W2K8)
- Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
  (This applies only W2K8 R2)

–

Posted in Active Directory Federation Services (ADFS), Auditing | 1 Comment »

(2013-07-06) Uninstalling An ADFS v2.0 PRX Server

Posted by Jorge on 2013-07-06

In the past I described how to install an ADFS Proxy (PRX) Server in this post. This post will focus on UNINSTALLING an ADFS PRX Server.

–

First you need to uninstall ADFS v2.0

Open a Command Prompt Window
Open APPWIZ.CPL
Click View Installed Updates and type ACTIVE into the Search Programs and Features search bar.
Select Active Directory Federation Services 2.0 and click Uninstall.

–

Secondly, uninstall IIS as described in the section “Restore IIS on a federation server or federation server proxy computer” from How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0

–

And last but not least, delete the CA issued certificate from the computer’s personal store if you do not intend to re-use it

Open a Command Prompt Window
Open MMC
Add the Snap-in called “Certificates” and focus on the local computer
Navigate to the personal store of the computer, select the certificate that contains the name/FQDN of the federation service in the subject or SAN and delete it

–

Posted in Active Directory Federation Services (ADFS), Proxy Service | Leave a Comment »

(2013-07-06) Uninstalling An ADFS v2.0 STS Server

Posted by Jorge on 2013-07-06

In the past I described how to install an ADFS STS Server in this post and this post and this post. The idea of this post was to focus on UNINSTALLING an ADFS STS Server or the complete federation service.

–

Then I found out, Paul Williams already had done a great job describing that in the post Uninstalling AD FS 2.0 (and deleting the databases)

–

If you are using SQL, instead of WID, you need to delete the databases from SQL. Because of that you can also skip step the step describing the uninstall of WID.

–

If you are using CA issued certificates for the Token Signing Certificate and the Token Encryption Certificate, you can skip the step of removing the certificate sharing container in ADDS.

–

And last but not least, delete any CA issued certificate from the computer’s personal store that was being used by ADFS if you do not intend to re-use it

Open a Command Prompt Window
Open MMC
Add the Snap-in called “Certificates” and focus on the local computer
Navigate to the personal store of the computer, select the certificate that contains the name/FQDN of the federation service in the subject or SAN and delete it. If you are using CA issued certificates, you should have three certificates in the computer’s personal store that were being used by ADFS.

–

Posted in Active Directory Federation Services (ADFS), Security Token Service (STS) | 4 Comments »

(2013-07-05) PowerShell Resources For Survival

Posted by Jorge on 2013-07-05

Since Microsoft introduced PowerShell, it has been incorporated into many Microsoft products. PowerShell is becoming more and more important in remote, automatic and/or scripted management of (Microsoft) systems and applications. Because of this, it is important that *YOU* as an administrator, engineer or consultant start using PowerShell if you have not done it already. How to start learning and using it? Well, just do it! There are a lot of examples on the internet on how to achieve stuff. The next time you need to do something remotely or you need to automate some repetitive task, try to use PowerShell. In time your experience and knowledge increases!

–

Through the following link you can find LOTS of PowerShell resources: Windows PowerShell Survival Guide

–

Posted in PowerShell | 1 Comment »

(2013-06-21) Lots Of Free eBooks Available By Microsoft

Posted by Jorge on 2013-06-21

Microsoft has released a huge number of free eBooks available to anyone interested in reading them.

–

Get those eBooks through the following links:

–

Posted in Literature | Leave a Comment »

(2013-06-20) Active Directory Naming Considerations

Posted by Jorge on 2013-06-20

Microsoft just recently published a wiki page with naming considerations for AD domains.

You can find the info through this link.

–

Posted in Active Directory Domain Services (ADDS), Naming/Limits | Leave a Comment »

(2013-06-15) The FIM User Group Presented By The FIM Team

Posted by Jorge on 2013-06-15

The people from the FIM Team, supported by different MVPs around the world, have created a FIM User Group. This user group has a monthly occurrence with presentations, experiences, best practices and lots of other stuff you might be interested in when working with FIM 2010 (R2). The very first meeting was last week on the 20th of June and focused on introductions, getting-to-know-you interactions, and discussion about how the User Group will work. You can see the meeting through this link.

The monthly meeting will occur every month through Lync Online and it will be recorded. You will find all the recordings on YouTube using this link.

–

You got interested? If yes, then go to this page to find more info and subscribe.

–

Posted in Day-To-Day Stuff | Leave a Comment »

(2013-06-15) AD FS 2.0 Claims Rule Language Primer From The ASKDS Team (Part 2)

Posted by Jorge on 2013-06-15

The guys from the ASKDS Team Blog have written a great follow-up article about the Claims Rule Language in ADFS v2.x. Kudos and credits of course go to the writer of the post on the AskDS Team Blog. The first part can be found through the following link: (2011-10-24) AD FS 2.0 Claims Rule Language Primer From The ASKDS Team

–

SOURCE: AD FS 2.0 Claims Rule Language Primer (Part 2)

–

<QUOTE SOURCE=”AD FS 2.0 Claims Rule Language Primer (Part 2)”>

Hello, Joji Oshima here to dive deeper into the Claims Rule Language for AD FS. A while back I wrote a getting started post on the claims rule language in AD FS 2.0. If you haven’t seen it, I would start with that article first as I’m going to build on the claims rule language syntax discussed in that earlier post. In this post, I’m going to cover more complex claim rules using Regular Expressions (RegEx) and how to use them to solve real world issues.

–

An Introduction to Regex

The use of RegEx allows us to search or manipulate data in many ways in order to get a desired result. Without RegEx, when we do comparisons or replacements we must look for an exact match. Most of the time this is sufficient but what if you need to search or replace based on a pattern? Say you want to search for strings that simply start with a particular word. RegEx uses pattern matching to look at a string with more precision. We can use this to control which claims are passed through, and even manipulate the data inside the claims.

–

Using RegEx in searches

Using RegEx to pattern match is accomplished by changing the standard double equals "==" to "=~" and by using special metacharacters in the condition statement. I’ll outline the more commonly used ones, but there are good resources available online that go into more detail. For those of you unfamiliar with RegEx, let’s first look at some common RegEx metacharacters used to build pattern templates and what the result would be when using them.

–

Symbol	Operation	Example Rule
^	Match the beginning of a string	c:[type == "http://contoso.com/role", Value =~ "^director"] => issue (claim = c); Pass through any role claims that start with "director"
$	Match the end of a string	c:[type == "http://contoso.com/email", Value =~ "contoso.com$"] => issue (claim = c); Pass through any email claims that end with "contoso.com"
\|	OR	c:[type == "http://contoso.com/role", Value =~ "^director\|^manager"] => issue (claim = c); Pass through any role claims that start with "director" or "manager"
(?i)	Not case sensitive	c:[type == "http://contoso.com/role", Value =~ "(?i)^director"] => issue (claim = c); Pass through any role claims that start with "director" regardless of case
x.*y	"x" followed by "y"	c:[type == "http://contoso.com/role", Value =~ "(?i)Seattle.Manager"]* => issue (claim = c); Pass through any role claims that contain "Seattle" followed by "Manager" regardless of case.
+	Match preceding character	c:[type == "http://contoso.com/employeeId", Value =~ "^0+"] => issue (claim = c); Pass through any employeeId claims that contain start with at least one "0"
*	Match preceding character zero or more times	Similar to above, more useful in RegExReplace() scenarios.

Table 1: RegEx Metacharacters

–

Using RegEx in string manipulation

RegEx pattern matching can also be used in replacement scenarios. It is similar to a "find and replace", but using pattern matching instead of exact values. To use this in a claim rule, we use the RegExReplace() function in the value section of the issuance statement.

The RegExReplace() function accepts three parameters:

The first is the string in which we are searching.

We will typically want to search the value of the incoming claim (c.Value), but this could be a combination of values (c1.Value + c2.Value).

The second is the RegEx pattern we are searching for in the first parameter
The third is the string value that will replace any matches found.

–

Example:

c:[type == "http://contoso.com/role"%5D
=> issue (Type = "http://contoso.com/role", Value = RegExReplace(c.Value, "(?i)director", "Manager");

Pass through any role claims. If any of the claims contain the word "Director", RegExReplace() will change it to "Manager". For example, "Director of Finance" would pass through as "Manager of Finance".

–

Real World Examples

Let’s look at some real world examples of regular expressions in claims rules.

–

# Problem 1:

We want to add claims for all group memberships, including distribution groups.

–

# Solution:

Typically, group membership is added using the wizard and selecting Token-Groups Unqualified Names and map it to the Group or Role claim. This will only pull security groups, not distribution groups, and will not contain Domain Local groups.

Figure 1: Retrieving Groups From AD And Sending Claims Out For Each

–

<COMMENT BY JORGE>

Using “memberOf”, you:

Cannot get nested group memberships
Can only get direct group memberships (security groups, distribution groups, universal groups, global groups, domain local groups)
Get the groups in DN format

–

Using “Token-Groups – Unqualified Names” or “Token-Groups – Qualified By Domain Name” or “Token-Groups – Qualified By Long Domain Name”, you:

Can get direct and nested group memberships
Can get security groups
Cannot get distribution groups
Can get universal groups, global groups
Cannot get domain local groups
Get the groups in naming format, with or with the (long) domain name (depends on which token groups was used)

</COMMENT BY JORGE>

–

We can pull from memberOf, but that will give us the entire distinguished name, which is not what we want. One way to solve this problem is to use three separate claim rules and use RegExReplace() to remove unwanted data.

–

Phase 1: Pull memberOf, add to working set "phase 1"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://test.com/phase1"), query = ";memberOf;{0}", param = c.Value);

Example: "CN=Group1,OU=Users,DC=contoso,DC=com" is put into a phase 1 claim.

–

Phase 2: Drop everything after the first comma, add to working set "phase 2"

c:[Type == "http://test.com/phase1"%5D
=> add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

Example: We process the value in the phase 1 claim and put "CN=Group1" into a phase 2 claim.

Digging Deeper: RegExReplace(c.Value, ",[^\n]*", "")

c.Value is the value of the phase 1 claim. This is what we are searching in.
",[^\n]*" is the RegEx syntax used to find the first comma, plus everything after it
"" is the replacement value. Since there is no string, it effectively removes any matches.

–

Phase 3: Drop CN= at the beginning, add to outgoing claim set as the standard role claim

c:[Type == "http://test.com/phase2"%5D

=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = RegExReplace(c.Value, "^CN=", ""));

Example: We process the value in phase 2 claim and put "Group1" into the role claim

Digging Deeper: RegExReplace(c.Value, "^CN=", "")

c.Value is the value of the phase 1 claim. This is what we are searching in.
"^CN=" is the RegEx syntax used to find "CN=" at the beginning of the string.
"" is the replacement value. Since there is no string, it effectively removes any matches.

–

# Problem 2:

We need to compare the values in two different claims and only allow access to the relying party if they match.

–

# Solution:

In this case we can use RegExReplace(). This is not the typical use of this function, but it works in this scenario. The function will attempt to match the pattern in the first data set with the second data set. If they match, it will issue a new claim with the value of "Yes". This new claim can then be used to grant access to the relying party. That way, if these values do not match, the user will not have this claim with the value of "Yes".

–

c1:[Type == "http://adatum.com/data1"%5D &&

c2:[Type == "http://adatum.com/data2"%5D

=> issue(Type = "http://adatum.com/UserAuthorized", Value = RegExReplace(c1.Value, c2.Value, "Yes"));

Example: If there is a data1 claim with the value of "contoso" and a data2 claim with a value of "contoso", it will issue a UserAuthorized claim with the value of "Yes". However, if data1 is "adatum" and data2 is "fabrikam", it will issue a UserAuthorized claim with the value of "adatum".

Digging Deeper: RegExReplace(c1.Value, c2.Value, "Yes")

c1.Value is the value of the data1 claim. This is what we are searching in.
c2.Value is the value of the data2 claim. This is what we are searching for.
"Yes" is the replacement value. Only if c1.Value & c2.Value match will there be a pattern match and the string will be replaced with "Yes". Otherwise the claim will be issued with the value of the data1 claim.

–

# Problem 3:

Let’s take a second look at potential issue with our solution to problem 2. Since we are using the value of one of the claims as the RegEx syntax, we must be careful to check for certain RegEx metacharacters that would make the comparison mean something different. The backslash is used in some RegEx metacharacters so any backslashes in the values will throw off the comparison and it will always fail, even if the values match.

–

# Solution:

In order to ensure that our matching claim rule works, we must sanitize the input values by removing any backslashes before doing the comparison. We can do this by taking the data that would go into the initial claims, put it in a holding attribute, and then use RegEx to strip out the backslash. The example below only shows the sanitization of data1, but it would be similar for data2.

–

Phase 1: Pull attribute1, add to holding attribute "http://adatum.com/data1holder"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://adatum.com/data1holder"), query = ";attribute1;{0}", param = c.Value);

Example: The value in attribute 1 is "Contoso\John" which is placed in the data1holder claim.

–

Phase 2: Strip the backslash from the holding claim and issue the new data1 claim

c:[Type == "http://adatum.com/data1holder", Issuer == "AD AUTHORITY"]

=> issue(type = "http://adatum.com/data1", Value = RegExReplace(c.Value,"\\","");

Example: We process the value in the data1holder claim and put "ContosoJohn" in a data1 claim

Digging Deeper: RegExReplace(c.Value,"\\","")

c.Value is the value of the data1 claim. This is what we are searching in.
"\\" is considered a single backslash. In RegEx, using a backslash in front of a character makes it a literal backslash.
"" is the replacement value. Since there is no string, it effectively removes any matches.

An alternate solution would be to pad each backslash in the data2 value with a second backslash. That way each backslash would be represented as a literal backslash. We could accomplish this by using RegExReplace(c.Value,"\\","\\") against a data2 input value.

–

# Problem 4:

Employee numbers vary in length, but we need to have exactly 9 characters in the claim value. Employee numbers that are shorter than 9 characters should be padded in the front with leading zeros.

–

# Solution:

In this case we can create a buffer claim, join that with the employee number claim, and then use RegEx to use the right most 9 characters of the combined string.

–

Phase 1: Create a buffer claim to create the zero-padding

=> add(Type = "Buffer", Value = "000000000");

–

Phase 2: Pull the employeeNumber attribute from Active Directory, place it in a holding claim

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("ENHolder"), query = ";employeeNumber;{0}", param = c.Value);

–

Phase 3: Combine the two values, then use RegEx to remove all but the 9 right most characters.

c1:[Type == "Buffer"]

&& c2:[Type == "ENHolder"]

=> issue(Type = "http://adatum.com/employeeNumber", Value = RegExReplace(c1.Value + c2.Value, ".*(?=.{9}$)", ""));

Digging Deeper: RegExReplace(c1.Value + c2.Value, ".*(?=.{9}$)", "")

c1.Value + c2.Value is the employee number padded with nine zeros. This is what we are searching in.
".*(?=.{9}$)" represents the last nine characters of a string. This is what we are searching for. We could replace the 9 with any number and have it represent the last "X" number of characters.
"" is the replacement value. Since there is no string, it effectively removes any matches.

–

# Problem 5:

Employee numbers contain leading zeros but we need to remove those before sending them to the relying party.

–

# Solution:

In this case we can pull employee number from Active Directory and place it in a holding claim, then use RegEx to use the strip out any leading zeros.

–

Phase 1: Pull the employeeNumber attribute from Active Directory, place it in a holding claim

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("ENHolder"), query = ";employeeNumber;{0}", param = c.Value);

–

Phase 2: Take the value in ENHolder and remove any leading zeros.

c:[Type == "ENHolder"]

=> issue(Type = "http://adatum.com/employeeNumber", Value = RegExReplace(c.Value, "^0*", ""));

Digging Deeper: RegExReplace(c.Value, "^0*", "")

c1.Value is the employee number. This is what we are searching in.
"^0*" finds any leading zeros. This is what we are searching for. If we only had ^0 it would only match a single leading zero. If we had 0* it would find any zeros in the string.
"" is the replacement value. Since there is no string, it effectively removes any matches.

–

Conclusion

As you can see, RegEx adds powerful functionality to the claims rule language. It has a high initial learning curve, but once you master it you will find that there are few scenarios that RegEx can’t solve. I would highly recommend searching for an online RegEx syntax tester as it will make learning and testing much easier. I’ll continue to expand the TechNet wiki article so I would check there for more details on the claims rule language.

–

Understanding Claim Rule Language in AD FS 2.0

AD FS 2.0: Using RegEx in the Claims Rule Language

Regular Expression Syntax

AD FS 2.0 Claims Rule Language Primer

Until next time,

Joji "Claim Jumper" Oshima

</QUOTE SOURCE=”AD FS 2.0 Claims Rule Language Primer (Part 2)”>

–

Posted in Active Directory Federation Services (ADFS), Claims Rule Language | 2 Comments »

« Previous Entries

Next Entries »

Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Author Archive

(2013-07-12) KB Article: AD DB Becomes Corrupted When W2K12 Hyper-V Host Server Crashes

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v2.x and ADFS v3.x

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v1.0 and ADFS v1.1

(2013-07-06) Uninstalling An ADFS v2.0 PRX Server

(2013-07-06) Uninstalling An ADFS v2.0 STS Server

(2013-07-05) PowerShell Resources For Survival

(2013-06-21) Lots Of Free eBooks Available By Microsoft

(2013-06-20) Active Directory Naming Considerations

(2013-06-15) The FIM User Group Presented By The FIM Team

(2013-06-15) AD FS 2.0 Claims Rule Language Primer From The ASKDS Team (Part 2)

An Introduction to Regex

Using RegEx in searches

Real World Examples

# Problem 1:

# Solution:

# Problem 2:

# Solution:

# Problem 3:

# Solution:

# Problem 4:

# Solution:

# Problem 5:

# Solution:

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Author Archive

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

An Introduction to Regex

Using RegEx in searches

Real World Examples

# Problem 1:

# Solution:

# Problem 2:

# Solution:

# Problem 3:

# Solution:

# Problem 4:

# Solution:

# Problem 5:

# Solution:

Share this: