locked
AD FS Password is in Clear Text RRS feed

  • Question

  • Is there a way to encrypt the password in the ADFS login or a third-party application that encrypts the payload in addition to the SSL?
    Thursday, May 11, 2017 2:16 AM

Answers

  • Well you shouldn't worry to much about it, for the reasons and comments mentioned in the thread :)

    You cannot change that behavior. TLS is the way to ensure the password is encrypted during the transportation.

    Note that it is the same concept for many other protocol on the internet. SAML and OAuth token bearer also transport things in a unencrypted fashion since the standard mentioned that the encryption is provided by the TLS layer.

    You should focus your time and money for a defense in depth approach and look at important things such as MFA for users, or even conditional access.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Marver Avila Wednesday, June 14, 2017 12:22 AM
    Friday, June 9, 2017 2:04 PM

All replies

  • This has been discussed in this thread: https://social.technet.microsoft.com/Forums/windowsserver/en-US/0859d7a4-7ae6-4129-acea-0963839bf622/credentials-are-passed-in-clear-text-hacked-credentials-using-burp-tool-suite?forum=ADFS

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 18, 2017 1:46 PM
  • Thanks Pierre

    Is this compatible with Claims Based Authentication?

    Wednesday, June 7, 2017 6:23 AM
  • I am not sure what you mean by this. What part of the thread are you referring to?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, June 7, 2017 1:13 PM
  • Hi Pierre, 

    In the thread 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0859d7a4-7ae6-4129-acea-0963839bf622/credentials-are-passed-in-clear-text-hacked-credentials-using-burp-tool-suite?forum=ADFS

    You said that's instead of using the ADFS Form Based use the Windows Integrated Authentication but can we do custom login page to encrypt the password and still use the ADFS for based.

    Thanks 

    Thursday, June 8, 2017 8:09 AM
  • No we cannot. If you are concerned about the password being in clear-text (still in a TLS channel though... so that is more what the thread is arguing about), then do need use passwords (Azure MFA as a primary auth, or Windows Hello for Business) and/or use MFA to ensure that password is not enough to log-in.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 8, 2017 1:01 PM
  • Yes concerned with the password being clear text. What if I do a custom login to encrypt the password is that a an ideal solution. 
    Friday, June 9, 2017 12:59 AM
  • Well you shouldn't worry to much about it, for the reasons and comments mentioned in the thread :)

    You cannot change that behavior. TLS is the way to ensure the password is encrypted during the transportation.

    Note that it is the same concept for many other protocol on the internet. SAML and OAuth token bearer also transport things in a unencrypted fashion since the standard mentioned that the encryption is provided by the TLS layer.

    You should focus your time and money for a defense in depth approach and look at important things such as MFA for users, or even conditional access.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Marver Avila Wednesday, June 14, 2017 12:22 AM
    Friday, June 9, 2017 2:04 PM