Category Archives: ADFS 4.0

Renewing ADFS Token-signing and Token-decrypting certificates

07 Wednesday Jul 2021

Posted by in ADFS, ADFS 4.0

Leave a comment

Tags

While trying to access ADFS federation metadata or trying to access CRM Org (configured for Claims Based Authentication) will produce the following errors if ADFS Token-signing and Token-decryption certificates are expired.

As viewed from ADFS Management Console:

Errors recorded in the Event Viewer for the above expired certificates:

The thumbprint values in the Error Logs can also be viewed through PS Command as shown below:

To get access to federation metadata again perform the following steps:
  1. Update Token-Signing and Token-Decrypting certificate

Running the above will add a pair of under Token-Signing and Token-Decrypting certificates

Run the PS Command Set-AdfsProperties -AutoCertificateRollover $false and delete the secondary certificate from the ADFS Management console view.

Ensure that the certificate chain is installed correctly under Trusted Root Certification Authorities

After the renewing the Token-Signing and Token-Decrypting certificates the Federationmetadata endpoint should now be accessible.

A Comparison of Authentication and Authorization Frameworks

20 Thursday Feb 2020

Posted by in ADFS 4.0, ASP.NET Core, Dynamics 365, WebAPI

3 Comments

Tags

, ,

To provide Single Sign On (SSO) mechanism for users different authentication frameworks are in place viz., WS-Federation (WS-Fed), SAML, OAuth, Open ID and OpenID Connect.

WS-Fed and SAML (Security Assertion Mark-up Language) are still in use in corporate networks to allow users to connect to COTS (Commercial off the Shelf) products and bespoke applications. Federation (aka delegating authentication/authorization) is achieved using Active Directory Federation Services (ADFS) installed and configured on Windows Server OS.

The three essential components of federation are:

  • Sign-in protocol > What is the mechanism to access the application
  • Authentication protocol > How the user is verified
  • Token Type > Once the user validated what is returned back to the user after successful identification

In the article configuring Dynamics CRM platform for Claims Based Authentication was discussed. Let us look at capture of traffic in Fiddler to see what information gets passed on in Request and Response.

Request

Fiddler

As highlighted accessing https://crm.idynamics.dev/seis will route the request to https://adfs.idynamics.dev containing the following parameter(s)

wa=wsignin1.0 > Indicates ADFS service to invoke login

wtrealm=https%3a%2f%2fcrm.idynamics.dev%2f > Client application using ADFS service

wctx=rm%3d1%26id%3da33a2f6c-768e-48aa-9c3c-b594ef0f60b5%26ru%3d%252fseis%252fdefault.aspx%26crmorgid%3dfa61533b-ea52-ea11-83b5-0017fb000002 > Session data sent back

wct=2020-02-20T09%3a53%3a23Z > Time the application is accessed

wauth=urn%3afederation%3aauthentication%3awindows > Mode of Authentication

Response

Fiddler1

The response will confirm to SAML 1.1 as per specification and the following will be included as part of the “wresult” urn:oasis:names:tc:SAML:1.0:assertion

OAuth/Open ID/ OpenId Connect essentially use JWT (JSON Web Token).

JSON web token stores user information viz., id, permission set (aka claim rules) etc., in a compact format so information can be transmitted securely between client and server. The token will in the form of a string will be digitally signed using HMAC algorithm or RSA.
Available security algorithms are defined as constant string values in SecurityAlgorithms class of Microsoft.IdentityModel.Tokens namespace and in the sample project demonstrating Authentication using JWT we will be using HMAC algorithm.
JWT structure will consists of three parts [Header].[Payload].[Signature] represented as Base64-URL string
Header: A combination of token type + signing algorithm identified by claim set
typ (for token type) and alg (for signing algorithm) represented in JSON format this would look like the one below:

{
“alg”: “HS256”,
“typ:”JWT”
}
Payload: Consisting of claims about the user. A claim is represented as key/value pair combination. There are three types of claims Registered, Public and Private. The key part of the claim is limited to 3 characters
Registered: Predefined claims and can be viewed here

Public: Custom defined claims but need to be registered in public registry at

Private: Agreed custom claims between to applications.

Signature: Verifies that the message is not tampered during transmission.

Configuring Claims Based Authentication for Dynamics 9 on ADFS 4.0

04 Friday Oct 2019

Posted by in ADFS 4.0, Dynamics CE 9

1 Comment

Adding on-premise Dynamics 9 as a Relying-Party (RP) trust in ADFS 4.0 follows the same path as listed here but ADFS 4.0 has few changes to wizard options as detailed below:

CBA1

In the next step of the wizard make sure the metadata end point is accessible through IE, in the example below the URL is https://crm.idynamics.dev/FederationMetadata/2007-06/FederationMetadata.xml, give a display name and choose Next

CBA2

 

Access Control Policies defines the level of access that can be provided to RP

Untitled

Click Next after reviewing the following settings

Untitled1

The Relying Party (RP) will be added successfully the next step will the configuring Claims Issuance Policy (aka adding Claims Rules in ADFS 3.0 and below…)

Untitled2

Right click on RP and select Edit Claim Issuance Policy and add the claims rule set as indicated here

Untitled3

Once the RP has been successfully accessing the CRM organisation will display the following error because of certain defaults in ADFS 4.0

Untitled4

In the event viewer on ADFS server the above error will translate to a MSIS7102 error code of ADFS indicating an unsupported Authentication Method

Untitled5

In order to identify the Authentication Method  extract the redirection URL from CRM to ADFS and you will notice that Windows Integrated Authentication (WIA) is used as per wauth parameter, and this is not enabled in ADFS by default for Intranet scenarios

https://adfs.idynamics.dev/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm.idynamics.dev%2f&wctx=rm%3d1%26id%3df589b041-3924-4d87-a8f1-96057169b19f%26ru%3d%252fAPIS%252fdefault.aspx%26crmorgid%3df3f230c0-ddc6-e911-837e-0017fb000002&wct=2019-09-04T11%3a03%3a41Z&wauth=urn%3afederation%3aauthentication%3awindows

Bring up the ADFS management console and edit Primary Authentication Methods to include Windows Authentication and restart ADFS

Untitled6

Untitled7

Issues and Limitations of Claim-based authentication when used with Dynamics CRM

20 Tuesday Oct 2015

Posted by in ADFS, ADFS 4.0, CRM2015, CRM2016, Dynamics 365, Dynamics CE 9

Leave a comment

The following are some of the limitations of accessing Dynamics CRM platform using Claims-based authentication

  • Dynamics CRM does not enforce strong password policy and this task is handled by AD.
  • ADFS federation server sessions are valid up to 8 hours for deactivated or deleted users. The ADFS server tokens allocated to a web single sign-on (SSO) have cookie expiration of 8 hours. Therefore even when a user is deactivated or deleted from authentication provider as long as the user session is still active the user can continue to be authenticated to access resources.
  • Certificates created using the CNG key template are incompatible with Microsoft Dynamics CRM.
  • CRMAppPool account used for Dynamics CRM website must have read permission to the private key or encryption certificate.

Work around option(s):

  1. Disable the user in Dynamics CRM and AD.
  2. Reduce the ADFS token life time. (Power Shell). In ADFS 4.0 on Server 2016 TokenLifetime is replaced with SsoLifeTime and default is set to 480

 New Picture