Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Updates’ Category

(2015-05-06) Make Sure To Patch Your ADFS Infrastructure, Again!

Posted by Jorge on 2015-05-06


A few days ago Microsoft disclosed a serious vulnerability (MS15-040)  in ADFS v3.0 (ADFS in Windows Server 2012 R2). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off. This security update is rated Important for AD FS 3.0 when installed on x64-based editions of Windows Server 2012 R2. The security update addresses the vulnerability by ensuring that the logoff process properly logs off the user.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Advertisements

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2015-05-05) Make Sure To Patch Your ADFS Infrastructure, If You Have Not Done It Already

Posted by Jorge on 2015-05-05


Last month Microsoft disclosed a serious vulnerability (MS15-034) that exists in the HTTP protocol stack (HTTP.sys) that allows for remote code execution. This is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account. Microsoft also released a security update to patch Windows systems.

Now you may thing that you only need to patch Windows systems with IIS installed. That is not accurate. You also need to patch any system, even is IIS is not installed, that is built on top of HTTP.SYS. An example is ADFS v3.0 and higher.

This means that any system protected through ADFS is vulnerable if the ADFS infrastructure is compromised! If ADFS is compromised by someone, then that person is able to generate any security token with any claims in it, and gain access to claims-aware applications.

Therefore make sure to patch any Windows system with IIS or that is built on top of just HTTP.SYS!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2014-11-18) Vulnerability in ADFS Could Allow Information Disclosure (Important)

Posted by Jorge on 2014-11-18


This affects ALL ADFS versions! Make sure to patch all your ADFS servers

More info: https://technet.microsoft.com/library/security/ms14-077

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2013-10-17) A Hotfix Rollup Package (Build 4.1.3479.0) Is Available for Forefront Identity Manager 2010 R2

Posted by Jorge on 2013-10-17


Microsoft released a new hotfix for FIM 2010 R2 with build 4.1.3479.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ2889529

Issues that are fixed or features that are added in this update
FIM Service
Issue 1

When you have very long XPath queries in the FIM Service, CPU usage may increase. This causes a decrease in performance

FIM Synchronization Service
Issue 1

The Synchronization Service may leak memory when you use an ECMA2 connector.

Issue 2

When an existing ECMA2 connector is updated when a server configuration is moved between servers, the update is unsuccessful. This problem occurs when the connector requires access to encrypted parameters, such as a password, to complete the operation.

Issue 3

When an import is confirmed, a staging error may occur in rare cases. When this problem occurs, you receive the following error message:

Cannot insert duplicate key row in object ‘dbo.mms_cs_link’

Issue 4

If during a full import on the Active Directory management agent there is a reference on an organizational unit (OU) to an OU two levels down, the sync engine will crash.

Issue 5

When you select the option to abandon the key set in the Synchronization Service Key Management Utility, the operation may be unsuccessful. Additionally, you receive the following error message:

Value is not in the expected range

BHOLD Suite
Issue 1

The processing of BHOLD Queue entries takes a longer time than expected to finish after an earlier hotfix is applied.

Issue 2

You cannot add a permission for a user by using the BHOLD connector if the permission was ever denied for the user.

Issue 3

The removal of permissions from a personal role (prefixed with PR-) does not trigger the removal of those permissions from the user.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2013-02-15) Update Rollup 3 For ADFS v2.0 Has Been Released

Posted by Jorge on 2013-02-15


Microsoft has released update rollup 3 for ADFS v2.0. This rollup contains both bug fixes and additional capabilities. Read all the details by clicking on the following link Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0.

The Update Rollup 3 update is a cumulative update package that contains all the fixes and new features that were contained in Update Rollup 1 and 2.

Issue 1

AD FS 2.0 does not issue an ActAs token for a relying party who is using a Security Assertion Markup Language (SAML) 2.0 bootstrap token. When this issue occurs, the following error is generated:

System.IdentityModel.Tokens.SecurityTokenException: ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.

After you apply AD FS 2.0 update rollup 3, AD FS 2.0 successfully issues the token in this situation.

Issue 2

AD FS 2.0 update rollup 2 introduced strict Uniform Resource Identifier (URI) checking. When AD FS 2.0 acts as a federation provider and trusts an identity provider whose identifier is not an URI, the response that is returned from the identity provider is rejected by AD FS 2.0. The validation fails because AD FS 2.0 tries to validate the value of the identity provider’s identifier. This behavior breaks previously functioning AD FS 2.0 deployments in which identity providers use non-URI identifiers. AD FS 2.0 update rollup 3 removes this URI checking.

Issue 3

AD FS 2.0 acts as a federation provider and receives an invalid SAML 2.0 signed request (for example, the signature is not valid or the requestor is unknown). In this situation, AD FS 2.0 rejects the request only after it forwards the request to the downstream identity provider and receives a valid SAML response.
In order to make sure the validity of the requests that are sent to the downstream identity provider, the expected behavior is that AD FS 2.0 validates SAML requests and rejects any requests that have invalid signatures.

Issue 4

Relying parties require that signature certificates are applied to the relying party for SAML request. This is because signature certificates provide an important security validation function and are defined in the SAML 2.0 specification. AD FS 2.0 allows unique signature certificates to be applied to a relying party trust. However, it only allows the same certificate to be applied to one relying party trust per AD FS 2.0 farm. This restriction may allow multiple relying parties to use the same signing certificate for SAML requests. AD FS 2.0 update rollup 3 removes this restriction.

UPDATE 2013-05-17: Post-update configuration for issue 4

Note however that simply applying the update rollup doesn’t allow you to implement multiple relying party trusts with the same certificate.  After applying the update you have to update the configuration database. The steps differ from when using WID or SQL server.

+++ Are you using WID? Then use the following steps! +++

The script “PostReleaseSchemaChanges.ps1” is located under the AD FS binaries directory “C:\Program Files\Active Directory Federation Services 2.0\SQL”.

Manually execute the script first on the secondary federation servers in the farm, and then on the primary federation server!

+++ Are you using SQL? Then use the following steps! +++

Download the SQL script “RelaxedRequestSigningCertsv2.sql” and execute it against the configuration database.

To execute this script, run the following command by using the Sqlcmd utility: Sqlcmd -S <ConnectionString for SQL> -i RelaxedRequestSigningCertsv2.sql

OR,

Use SQL Server Management Studio to execute the SQL Query. Connect to the SQL Server database that has the AD FS 2.0 configuration database. Create a new SQL query. Paste the contents of the RelaxedRequestSigningCertsv2.sql file into the query, and then execute the query.

After running the script, you can create RP trusts with the same signing certificate.

Issue 5

Consider the following scenario:

  • You use a third-party hardware security module (HSM) to speed up the signing processes.
  • You use the third-party HSM and to generate and store the private keys.
  • The private keys are for AD FS 2.0 signing and for AD FS 2.0 encryption certificates.

In this situation, the performance of AD FS 2.0 is not as good as when you use Microsoft CSP. AD FS 2.0 update rollup 3 significantly improves the performance of AD FS 2.0 when HSM is used.

Issue 6

AD FS 2.0 update rollup 1 introduces the Congestion Avoidance Algorithm. If you accidentally disable the Congestion Avoidance Algorithm by changing the configuration, a handle leak occurs on an AD FS 2.0 federation server proxy every time that the federation server proxy processes a request. AD FS 2.0 update rollup 3 removes the setting that enables you to disable Congestion Avoidance Algorithm by changing the configuration. You can fine tune the Congestion Avoidance Algorithm by adjusting the latencyThresholdInMsec and minCongestionWindowSize settings.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2012-05-25) Update Rollup 2 For ADFS v2.0 Has Been Released

Posted by Jorge on 2012-05-25


Microsoft has released update rollup 2 for ADFS v2.0. This rollup contains both bug fixes and additional capabilities. Read all the details by clicking on the following link Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0.

The Update Rollup 2 update is a cumulative update package that contains all the fixes and new features that were contained in Update Rollup 1.

In summary:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2011-10-24) Configuring The New Five Claim Types In ADFS After Installing Rollup Package 1 For ADFS v2.0

Posted by Jorge on 2011-10-24


As I mentioned in this blog post, Microsoft has released a rollup package 1 for ADFS v2.0 which introduces 5 new claim types. However, right after installing the rollup package, rebooting the servers (ADFS STS(s) and ADFS PRX(s), if applicable) and opening the ADFS v2.0 MMC you do not see the new claim types as you might expect. Below you see the result on my ADFS v2.0 STS box after installing the rollup package 1. And as you can see the 5 new claim types are not available.

REMARK: All the other claim types you do not recognize, were created by me as custom claim types.

image

Figure 1: Claim Types (a.k.a. Claim Descriptions) In ADFS v2.0 (Default And Custom)

It turns out the new Claim Types are not created automatically. Therefore YOU must create them within ADFS v2.0.

For every new Claim Type you must specify the following information:

  • Display Name (mandatory)
  • Claim Identifier(mandatory)
  • Description(optional)
  • Selection Of “Publish this claim description in federation metadata as a claim type that this Federation Service can accept” (optional)
  • Selection Of “Publish this claim description in federation metadata as a claim type that this Federation Service can send” (optional)

image

Figure 2: Creating A New Claim Type/Description Within ADFS v2.0

In the end my the new Claim Types/Descriptions look like as shown below:

image

Figure 3: Claim Types (a.k.a. Claim Descriptions) In ADFS v2.0 (Default And Custom) Now Including The New Claim Types/Descriptions

In a Sharepoint 2010 webpart that lists all the claims issued you can see the user passed through the ADFS Proxy and is therefore external to the company network. The value shows the NetBIOS name of the ADFS Proxy Server and just by the presence of the claim you can make additional decisions in for example the Issuance Authorization Rules.

image

Figure 4: Issued Claim Types Listed By A Sharepoint 2010 WebPart – Showing The ID Passed Through An ADFS Proxy Server

Remember that because this claim is included it does not mean it is an external user, it could be though! However, an internal user outside of the internal network that also passes through the ADFS Proxy Server also gets this claim!

REMARK: also check out the following post “Limiting Access to Office 365 Services Based on the Location of the Client

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Claim Types, Updates | 1 Comment »

(2011-10-15) Update Rollup 1 For ADFS v2.0 Has Been Released

Posted by Jorge on 2011-10-15


Microsoft has released update rollup 1 for ADFS v2.0. This rollup contains both bug fixes and additional capabilities. Read all the details by clicking on the following link Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0.

In summary:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | 1 Comment »

 
%d bloggers like this: