Federating the Enterprise:
Web Single Sign-On for On-Premise
Applications
Explorations in AD FS,
Shibboleth, SharePoint,
Exchange, and more.
J. Greg Mackinnon,
Whole-Systems Administrator
Enterprise Technology
Services
The University of Vermont
Overview:
• AD FS Deployment and Shibboleth Integration:
• Lessons from a year in production
• SharePoint 2013 Web SSO configuration
…with recommended dosages of beer and Tylenol.
• Exchange 2013 Web SSO configuration
…and plenty of second-guessing.
• Roadmap for other on-premises Web SSO projects
• Moral quandaries, ambiguity, and existential gridlock.
• Absolutely no stupid Star Trek references.*
*Actual presentation may contain Star Trek references
Which are you?
Terminology:
• Web SSO technologies
•
•
•
•
•
AD FS, Shibboleth, Web Application Proxy (WAP)
Identity Provider (IdP) / Claims Provider / Security Token Service (STS)
WS-Federation and SAML
Relying Party / Service Provider (RP/SP)
Claims / Assertions
• “Traditional” authentication technologies
• Kerberos, NTLM, NTLM2
• SharePoint:
• Web Application, Custom Claims Provider
• Exchange:
• OWA, ECP
• Virtual Directories
The Environment:
Color Key:
• Does not work as documented.
Hull Breach Imminent.
• Potential problems, take note.
Shields at 50%.
• Documentation is good.
We’re all good here, how are you?
AD FS – Microsoft’s Gift
• Credential Hygiene (SAML tokens instead of passwords)
• Achievable Multi-Factor Authentication
(Smart Card, Certificates, Third-Parties such as Duo)
• Interoperates with Shibboleth/InCommon
(and other SAML 2.0 IdPs)
• Enables Office 365 authentication against on-premise AD*
• WAP “Protocol Transitioning”
• Converts Windows web applications into to Web SSO applications
• Documented Support for SharePoint and Exchange **
• Support for many Server 2016 and Office 2016 products on
the roadmap.
• Easy Installation and Configuration***
AD FS – Microsoft’s Gift Horse
• Documentation? We Don’t Need No Stinking
Documentation!
• Claims transformation language for Shibboleth
Integration:
• Claims Transformation (ePPN to UPN) [LINK]
• Claims Augmentation (when you need AD-only user or
groups data)
• “Won’t you step into my parlor?” said the
spider to the fly…
• New challenges in tracing login problems though a
spider’s web of redirects. [Link]
AD FS Configuration Woes (updated):
• AD FS Installation
• Group Managed Service Accounts – DC container requirements
• Load Balancer monitoring – Loosely documented health monitoring options
• The truth about Web Application Proxies
• If you want to proxy anything, you must proxy everything. [LINK]
• Two-Farm Configuration may be required!
• Certificate Pains
• Friends don’t let friends use Signing and Encryption Certificate automatic
rollover.
• Service Communications Certificate – undocumented replacement quirks.
[Forward to SAML]
The Trouble with
SharePoint:
• Windows Integrated
Authentication Problems
• Poor Credential Hygiene
• DOMAIN\username or
username@domain.com
authentication requirements are
confusing to users.
• NTLMv2 not supported on
Mac/Linux clients
• NTLM is deprecated on or
removed from all platforms
• The only other alternative,
Kerberos, is not available for
Internet clients (YMMV)
First Challenge:
Convert SharePoint 2013 to Shibboleth Auth (part 1)
1. Configure a Relying Party trust in AD FS
a)
Note that the RP uses a WS-Federation endpoint
2. Export the AD FS Token Signing Certificate
a)
Take note of the expiration date. SharePoint will not auto-update from Federation
Metadata!
3. Import the Certificate into SharePoint using PowerShell
a)
If using self-signed certs, only one import is required.
4. Convert Windows apps to Claims Apps
5. Map incoming claims to SharePoint display names
6. Create a SharePoint “Identity Provider”
a) Specify ‘UPN’ as the Identifier Claim
b) Note… while your SAML token can contain SID data, SharePoint will not persist this data
internally (loss of SID as an identity anchor)
First Challenge:
Convert SharePoint 2013 to Shibboleth Auth (part 2)
6. Configure the Web Application to use the Identity
Provider
a) Set up a second “zone” for Claims Authentication with AD FS.
Configure an Alternate Access Mapping to your public
SharePoint URL.
b) Configure the “default” zone to use Claims with Integrated
Windows Authentication, and NTLM
7. Add a Custom Claims Provider to enable user and group
lookup in the People Picker (LDAPCP)
8. Migrate Windows users to external Identity Provider
users (PoSH) – Migrate-SPUsers.PS1, saved with this
presentation.
The New Badness:
[Back to
NTLM]
So what’s wrong with that?
• Complexity!
• Must maintain alternate access mapping for Windows Auth, with its own certificates.
(This is not as easy as it sounds. )
• Must maintain “Custom Claims Provider” (C#)
(Or your People Picker will break)
• Loss of SID data makes user renames difficult, account collisions possible.
• MS support for non-ADFS SAML Authentication is “Fringe”.
• May needed to set X-UA-Compatibility header SSO Portal [LINK]
• Challenging to diagnose and repair.
…but your users won’t care about any of that!
SharePoint Federation - Alternatives
• AD FS authentication only, without Shibboleth [LINK]
• Only decreases logon process complexity, Web App is just a messy.
• Loses ability to authenticate InCommon members.
• Does not adhere to “single logon portal” ideal.
• “Traditional” web application with Windows Authentication, placed
behind a WAP with Kerberos protocol transitioning. [LINK]
• Loses ability to authenticate non-domain users.
• Deprecated configuration
• What about Claims with Windows Auth behind a WAP? [LINK]
• Still loses ability to authenticate non-domain users, but supported!
• Easy to Implement? Just “follow the directions”.
The Trouble with Exchange
• MAPI/HTTP, OWA, ECP, ActiveSync, EWS, Outlook Anywhere
• Traditionally all support only “Windows Integrated Authentication”, Forms, or
Basic Authentication over SSL.
• ISO Assertion:
• “All web applications should use the institution’s Web Single Sign-On Service.”
• Registrar’s Assertion:
• Sign-On to the student portal (Luminis) needs to provide SSO access to
Exchange OWA.
Second Challenge: Exchange 2013 with Shibboleth
1.
2.
3.
4.
Upgrade Exchange to 2013 SP1
Create a Relying Party trust for OWA and ECP
• Note: It’s still WS-Federation
In a multiple-namespace environment, update the federation
endpoint and identifier values
Configure Claims Transformation Rules
a)
b)
5.
Configure ALL OWA and ECP Virtual Directories to use AD FS Auth
a)
b)
6.
Adjust UPN claim transformation rules to use UPN from any source. [LINK]
Remove groupSID claim from tokens issued to Exchange.
(No longer required in 2013 CU9+)
Disable Forms and Basic Auth. Yes, really.
IISReset ALL mailbox and CAS servers.
Disable EcpCafeLogon Health Checks
(To be removed “in a future release”*)
PS> Add-GlobalMonitoringOverride -Identity ecp\EacCtpProbe –ItemType
Probe -PropertyName Enabled -PropertyValue 0 –ApplyVersion "15.0.1200.0"
PS> Add-GlobalMonitoringOverride -Identity ecp\EacCtpMonitor -ItemType
Monitor -PropertyName Enabled -PropertyValue 0 –ApplyVersion "15.0.1200.0"
The New Badness:
So what’s the problem?
• Annoyances:
• Logon delays
• Logoff errors
• No support for Outlook
Anywhere, MAPI/HTTP*,
ActiveSync**
• Solutions:
• Go with the flow.
• Get friendly with your
Shibboleth Admin.
Future Challenges:
• New Integration Points:
• Microsoft Passport sign-on
• RDWeb and RDGateway Integration:
• Publishing of RDGateway now possible when using AD FS with a WAP
• VMware Horizon View:
• Provides “Identity Manager” as a SAML authenticator for View clients
• Allegedly integrates with AD FS or other SAML 2.0 IdP.
• Proxy authentication for “legacy” web applications
•
•
•
•
Element IT – HTTP Commander
Captaris – RightFax
EMC – ApplicationXtender
Kronos – Workforce Central
• Multifactor Authentication everywhere!
• Duo Security, Azure MFA, and the promise of U2F
So which was it?
AND THE
ADVENTURE
CONTINUES…
Follow up questions to:
mailto: jgm@uvm.edu
Twitter: @jgregmac
LinkedIn: j-greg-mackinnon
Facebook: j.greg.mackinnon
Ello: @jgreg
And more fun at: http://blog.uvm.edu/jgm
References:
• Surviving the Triangle – Shibboleth, AD FS, and Office 365 Pro Plus at UVM:
http://www.windows-hied.org/Pages/Conference2014/conf2014-Surviving-the-Triangle.aspx
• Microsoft Passport:
https://technet.microsoft.com/en-us/library/mt219734(v=vs.85).aspx
• Publishing Microsoft applications to the Web Application Proxy:
• Next-gen Web Application Proxy roadmap:
http://blogs.technet.com/b/applicationproxyblog/archive/2014/10/01/introducing-the-next-version-of-web-applicationproxy.aspx
• SharePoint 2013 (both Claims with IWA and legacy IWA), Exchange 2013, and RDGateway
https://technet.microsoft.com/en-us/library/dn765486.aspx
• AD FS / SharePoint Interop documents:
• Microsoft Guide to ADFS 2.0 / Shibboleth interop:
https://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx
• InCommon Federation ADFS / Shibboleth interop:
https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop#MicrosoftInterop-ADFSv3(2012r2)
• Shibboleth Service Logout:
• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout
• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSingleLogoutService
References (continued)
• AD FS Hardware Load Balancing:
•
•
Microsoft Blog documenting new health check features in ADFS/WAP update from August 2014:
http://blogs.technet.com/b/applicationproxyblog/archive/2014/10/17/hardware-load-balancer-health-checks-and-web-application-proxy-adfs-2012-r2.aspx
F5 DevCentral Article on configuring an F5 LTM to work with AD FS on 2012 R2, including external script-based health monitor:
https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni
• Exchange 2013 with AD FS:
•
Official Documentation:
https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx
• SharePoint 2013 with AD FS:
•
•
•
•
•
Official Microsoft Guidance:
http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx
SharePoint 2010 integration with Shibboleth, replaced by AD FS-based turnkey solution for SharePoint 2013
(provided as example of the utility of ADFS for MS Apps… even ISVs are using ADFS to bridge to Shibboleth):
http://www.9starinc.com/activesharefs-turnkey-solution-shibboleth-saml-based-access-to-sharepoint
Blog: UVM’s SharePoint/ADFS/Shibboleth Integration – 2013 Edition
http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/
Blog: UVM’s script for migrating Windows users to Claims users:
http://blog.uvm.edu/jgm/2014/04/23/migrating-windows-auth-users-to-claims-users-in-sharepoint/
General article on the X-UA-Compibility header, to be used in your non-ADFS logon portal:
https://msdn.microsoft.com/en-us/library/ff955275%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Adventures in Redirection
Follow that Cookie!
[Back]
All or Nothing
Web Application Proxy:
[Back]
AD FS Without Shibboleth
SharePoint Authentication:
[Back]
IWA With Web App Proxy
SharePoint Authentication:
[Back]
Claims (in Windows Auth mode),
With Web App Proxy
SharePoint Authentication:
[Back]
Claims Transformations from Shibboleth:
ePPN to UPN conversion:
c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer =
c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =
c.ValueType);
[Back]
Claims Transformations for Exchange 2013:
From:
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"),
query = ";userPrincipalName;{0}", param = c. Value);
To:
To:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(claim = c);
[Back]
X-UA-Compatibility:
On assigning values to the header:
Designating 'IE=edge' is the best practice because it ensures Internet Explorer
uses the latest engine. The most current Internet Explorer version includes the
latest security updates as well as feature support. The current version is also the
fastest version.
On how to implement the header:
The best practice is an X-UA-Compatible HTTP Header. Adding the directive to
the response header tells Internet Explorer what engine to use before parsing
content begins. This must be configured in the web site's server.
[Back]
Opening Question:
• Which are you?