I have been working with my customer to design their Active Directory Federation Service (ADFS) to support federated single-sign-on access to their Enterprise Portal. This solution will leverage Microsoft’s Internet Security and Acceleration (ISA) Server in the DMZ to publish the federation URL and proxy federation traffic to the ADFS Federation Server – Account (FS-A) servers in the intranet.
Adding to the complexity we will be performing pre-authentication at the ISA level to prevent any unauthenticated requests from reaching into the intranet, and using the user credentials to proxy the request to the FS-A servers via Kerberos Constrained Delegation (KCD).
Client access to the ADFS servers will come from two separate places: Internet and Intranet. Those clients connecting from the intranet will be using Windows Integrated Security and will pass their credentials to the ADFS server. Clients connecting from the internet will be prompted for their Smartcard or basic authentication and then those credentials will be used by ISA to proxy the request to the ADFS servers.
We followed the standard ADFS configuration guide but there were a couple of additional steps that needed to be completed in order to get everything working as planned:
Active Directory
In order to support Kerberos Constrained Delegation and the ADFS web farm we had to change the default ADFS Application Pool identify from Network Service to a dedicated service account (ex. federation.svc). This required the creation and configuration of a federation service account:
1. Created a federation service account (federation.svc).
2. Add SPN entry in the forest for federation.svc:
- setspn.exe –a http/federation.domain.local domain\federation.svc
3. Verify SPN entry registered correctly:
- setspn.exe –l domain\federation.svc
Output should look like the following:
Registered ServicePrincipalNames for CN=federation.svc,CN=Users,DC=domain,DC=com:
http/federation.domain.com
4. (In DSA.msc) Locate the ISA Server object, open up the properties, selected the Delegation tab, clicked Trust this computer for delegation to specified services only, and enter in domain\federation.svc. You should be able to see, and select, the http/federation.domain.com entry:
ADFS Servers
For redundancy and load balancing we will have the ADFS web farm servers available behind a hardware based load balancer device. I spent some considerable amount of time looking for ADFS documentation that outlined the necessary rights to grant to the federation.svc account but came up mostly empty.
1. Install the ADFS Federation Server components
2. Change the identity of the ADFSAppPool Application Pool to be domain\federation.svc
3. Add the federation.svc account into the IIS_WPG local security group
4. Grant the following user rights in the Security Policy Management Console (secpol.msc):
- Act as part of the operating system
- Logon as a service
- Generate Security Audit Events
5. Grant read/write folder permissions to domain\federation.svc for the following folders:
- C:\ADFS
- C:\WINDOWS\TEMP
- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727 (if 64-bit)
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
ISA Server
The configuration on the ISA server was nothing special. We chose to use a “horked” ISA configuration and added an additional IP address for the Federation URL.
Next we walked through the standard Web Publishing Rules Wizard. For the web listener we chose to require Smartcard Authentication with Basic Authentication as a backup.
For the multiple FS-A servers we created a web farm and entered each of the server IP addresses. One other special configuration step was to select Kerberos constrained delegation in the Authentication Delegation tab and then enter in the federation SPN entry (ex. http/federation.domain.local).
DNS Configuration
Access from the Intranet will require that our internal DNS servers be configured to point to the Load Balancing Server Virtual IP address (VIP). So a new entry was added into the DNS server zone that resolves our internal clients to the VIP on the load balancing device, which in turn passes the request to one of the ADFS servers.
Access from the Internet requires that the external DNS resolution be configured to point to the IP address published on the ISA Server Web Listener configured in the ADFS Publishing Rule. So a new entry was added to the external DNS server zone that resolves external clients to the ISA Listener IP address, which in turn passes the request to the VIP on the load balancing device, which finally passes the request to the ADFS servers.
Additional Details
Don’t forget that Certificate Revocation List (CRL) checking is performed on the ADFS servers. We use Tumbleweed’s product to redirect CRL checks to several OCSP repeaters. Also, I found problems with my testing lab when the Trusted Root Certificate Authorities store (certmgr.msc) had more that 150 certificates. I usually remove foreign certificates which brings down the list to somewhere around 100, just be careful which certificates you remove.
Troubleshooting
For troubleshooting you should start with the ADFS Diagnostic Tool. Additionally, here is a list of URL’s that can help with troubleshooting ADFS issues. You could also drop me a line and I will try to help out as well.
That’s about it. Feel free to drop me a line if you have any questions.
Mon, Jun 8, 2009
Security, Technology