ADFS WAP Preauthentication replay RRS feed

  • Question

  • I'm attacking WAP/ADFS 4.0 on premise.

    I have a Kerberos IIS web server on the inside and it is published through WAP. The setup is correct: I can authenticate on the IIS server with my logon account. The IIS server is published with WAP pre-authentication and on WAP the option 'EnableSignOut' is enabled for the published application. When I log off, the EdgeAccessCookie is cleanuped and I need to log on again when I enter the URL. When I use a Chrome browser I can use an add-on to steal the EdgeAccessCookie (called EditThisCookie) on the client computer to replay it after that I did a logoff. On the WAP published application the PersistentAccessCookieExpirationTimeSec is set very low to 1 minute (60 seconds) to do the tests.

    If I sign-out the web application in Chrome, the cookies are gone. When I put fast the copied EdgeAccessCookie back (before 60 seconds), then I can do a login again (and the application works until the cookie expires = max 60 seconds). I can do a login with the re-used cookie because on the server side there's no invalidation of the session done. So, that's normal.

    But, when I use Charles or Fiddler and I replay an action, I can always get to the IIS server even if the EdgeAccessCookie is long expired. I can see on the IIS logs that I'm authenticating with my account and getting to the data. So when using a Mitm tool like Charles or Fiddler is used, the WAP server is not stopping me. I once used microsoft TMG and did the same test, but after sign-out from TMG I could not get further. Is this a bug in WAP/ADFS? I think so.


    • Moved by Dave PatrickMVP Monday, December 21, 2020 7:08 PM looking for forum
    Monday, December 21, 2020 6:51 PM


  • I'd try asking for help over here.

    adfs - Microsoft Q&A



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Guido Franzke Tuesday, December 22, 2020 6:45 AM
    • Marked as answer by Dave PatrickMVP Wednesday, December 30, 2020 9:42 PM
    Monday, December 21, 2020 7:08 PM