locked
ADFS 3.0 certificate based authentication, Authentication page just loads forever. ADFS+WAP RRS feed

  • Question

  • Internally and externally ADFS shows CBA is enabled

    get-adfsglobalauthenticationpolicy
    
    PrimaryIntranetAuthenticationProvider : {FormsAuthentication, WindowsAuthentication, CertificateAuthentication}
    PrimaryExtranetAuthenticationProvider : {FormsAuthentication, CertificateAuthentication}


    - I have an ADFS server in the internal LAN, and a WAP in the DMZ. 
    - Ports are open including the 49443 inbetween ADFS<->WAP as can be tested with telnet connection
    - Users are assigned client auth certificates with SubjectAltName: Other Name:Principal Name=name@externalDomain.com
    - Office365 Trusted relay setup (been working for years)
    - We have a federated domain in azure and SSO is working for UN and pw
    - CRL's are accessible from ADFS server and WAP server, Internal and external sources via http URL's
    - Root cert is present in the ADFS server and WAP server (no duplicates, no intermediate)

    When a user from the inside connects to portal.office.com WIA just signs them in

    When a user from outside connects to portal.office.com a certificate popup prompts for CBA. User selects a certificate (user auth cert with the right SAN) and the Auth page loads forever.

    WAP or ADFS server dont log any errors (or i dont know where to look).

    using Certutil on my cert from the inside on a domain joined computer or from the WAP or from the ADFS server i get the following valid responses. 

    certutil -f -urlfetch -verify <cername.cer>
     ----------------  Certificate AIA  ----------------
     Wrong Issuer "Certificate (0)" Time: 0
       [0.0] ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?cACertificate?base?objectClass=certificationAut
    ority
    
     Verified "Certificate (1)" Time: 0
       [0.1] ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?cACertificate?base?objectClass=certificationAut
    ority
    
     Verified "Certificate (1)" Time: 0
       [1.0] http://servername.domainName.com/CertEnroll/servername.domainName.com_servername(2).crt
    
     ----------------  Certificate CDP  ----------------
     Verified "Base CRL (0bce)" Time: 0
       [0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?certificateRevocationList?base?obj
    ctClass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [0.0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectC
    ass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [0.0.1] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [0.0.2] http://crl.externalDomain.com/crl/servername(2)+.crl
    
     Verified "Base CRL (0bce)" Time: 0
       [1.0] http://servername.domainName.com/CertEnroll/servername(2).crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [1.0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectC
    ass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [1.0.1] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [1.0.2] http://crl.externalDomain.com/crl/servername(2)+.crl
    
     Verified "Base CRL (0bce)" Time: 0
       [2.0] http://crl.externalDomain.com/crl/servername(2).crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [2.0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectC
    ass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [2.0.1] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [2.0.2] http://crl.externalDomain.com/crl/servername(2)+.crl
    
     ----------------  Base CRL CDP  ----------------
     OK "Delta CRL (0bcf)" Time: 0
       [0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectCla
    s=cRLDistributionPoint
    
     OK "Delta CRL (0bcf)" Time: 0
       [1.0] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     OK "Delta CRL (0bcf)" Time: 0
       [2.0] http://crl.externalDomain.com/crl/servername(2)+.crl

    I enabled the CAPI2 log on the ADFS server and WAP Server and found 4 events happen every time i attempt my CBA from an external network

    No errors seem to be inside any of these.. The certificate seems valid on the WAP and chaining seems valid. Details are hard to read though. ADFS server doesnt show any logs in the CAPI2 log when external CBA is attempted.

    Client Stuck here

    Friday, January 19, 2018 2:43 PM

All replies

  • Internally and Externally on a non domain joined client with a user certificate (and associated Root) the CAPI2 log enabled I was able to get a cryptic error that confuses me greatly. 

    The errors are:
    Event ID 11: Build Chain 
    Event ID 41: Verify Revocation

    Result: The revocation function was unable to check revocation because the revocation server was offline: Value: 80092013

    I then checked my http://crl.externalDomain.com/crl/ and all my CRL's were listed and accessable from my client. 
    I then checked certutil and found something very interesting... 

    certutil -f -urlfetch -verify <cername.cer>

    See below: all the CDP locations are failed and error. as they should be ... BECAUSE the verify is referencing the wrong .crl file. Though to be fair the file being referenced exists but is for a previous chain of the root.  

    This following line: [1.0.2] http://crl.EternalDomain.com/crl/servername.crl
    Should be like this: [1.0.2] http://crl.EternalDomain.com/crl/servername(2).crl

    And

    This following line: [1.0.2] http://crl.EternalDomain.com/crl/servername+.crl
    Should be like this: [1.0.2] http://crl.EternalDomain.com/crl/servername(2)+.crl

    ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
      Wrong Issuer "Base CRL (0bce)" Time: 0
        [1.0] http://servername.domainName.com/CertEnroll/servername.crl
      Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        [1.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [1.0.1] http://servername.domainName.com/CertEnroll/servername+.crl
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [1.0.2] http://crl.EternalDomain.com/crl/servername+.crl
      Wrong Issuer "Base CRL (0bce)" Time: 0
        [2.0] http://crl.EternalDomain.com/crl/servername.crl
      Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        [2.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [2.0.1] http://servername.domainName.com/CertEnroll/servername+.crl
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [2.0.2] http://crl.EternalDomain.com/crl/servername+.crl


    IF i view the certificate it shows the right CRL file. when i verify it under the certutil it queries the wrong one. I have no idea how this is possible if this is the actual problem or what i can do about it.. o_O anyone got any ideas?

    Friday, January 19, 2018 2:47 PM
  • Uploaded my previous root to azure as a root cert and the original CRL and tried again and my clients CAPI2 CRL errors went away. Also published a new certificate and it didnt have these CAPI2 errors.

    certutil still shows wrong issuer and my client still spins. 

    • Edited by I_Know_God Friday, January 19, 2018 5:27 PM More information
    Friday, January 19, 2018 4:28 PM
  • I think what is happening is CBA isn't working on our internal ADFS server as i can see CAPI2 checks on my cert when it comes from the client and as it HITS the WAP but i never see those same checks on the ADFS server. (never mind see below)

    Im going to disable cert auth and re enable on our ADFS server to see if this helps...... NOPE.

    Internally on a non domain joined computer connecting to portal.office.com the browser prompts for un and password (WIA) even though there is a valid client certificate on the machine. I will have to look into if there is an Order to the auth mechanisms. Ok .. Disabled Windows auth for Intranet and the forms dialogue allows me to type un and pw or select a certificate or use a certificate. Selecting a certificate signs me into portal.office.com no issues. So CBA internally straight from the ADFS server is working. So still something on the WAP.....

    Try this configuration from outside non domain joined device with the same certificate and i am allowed to choose a certificate from the browser and then it spins forever. Grrr 

    Does port 49443 need to be open from external client -> WAP and WAP -> ADFS server? I can see my WAP get and process my certificate in the CAPI2 Logs...



    • Edited by I_Know_God Friday, January 19, 2018 5:14 PM Edited Information to be more clear
    Friday, January 19, 2018 5:01 PM
  • Looking at the text you've provided, it looks like your problem is a visibility issue. Your external clients are unable to resolve LDAP AIA and CDP and will (eventually) flip to the HTTP endpoints once attempts to connect to LDAP URLs timeout.

    http://blog.auth360.net

    Monday, January 22, 2018 9:11 PM
  • Looking at the text you've provided, it looks like your problem is a visibility issue. Your external clients are unable to resolve LDAP AIA and CDP and will (eventually) flip to the HTTP endpoints once attempts to connect to LDAP URLs timeout.

    http://blog.auth360.net

    I also didnt have an external AIA, I added one and have been testing without success. Now i have an external AIA and CDP locations though they are not the first locations. does that matter?


    Hunter Brelsford - MCTS

    Tuesday, January 23, 2018 3:49 PM
  • Opened Port 49443 from external -> WAP and CBA for our IOS devices started working.... I havent checked from a computer yet. Will updated after testing tomorrow. 

    Hunter Brelsford - MCTS

    Wednesday, January 24, 2018 10:26 PM
  • MMM CBA doesnt work still from an external web browser but it still works from the iphone clients i dont know the reason. The reason it wasnt working on my account however was because MFA doesnt work with the iphone default mail app. 

    in order to get the default mail app working with CBA and MFA i had to generate a one time app password for the account and type that in as the password when it prompted. 

    I believe that CBA was working once i opened the port 49443 from the outside world to the WAP but i cant tell 100% as i didnt have an iphone to test before that. 

    • Edited by I.Know.God Monday, January 29, 2018 10:11 PM updates
    • Proposed as answer by I.Know.God Monday, January 29, 2018 10:11 PM
    Monday, January 29, 2018 2:50 PM