locked
Internet Connectivity for ADFS RRS feed

  • Question

  • Hello All,

    Can you please help me here. I have a customer who is not ready to provision internet access on his ADFS servers. We have a ADFS and the WAP servers setup. There is 443 port connectivity between the ADFS and the WAP server. For testing purposes, we had port 80 opened up for the list of O365 URL's and the setup was working perfectly. Port 80 access to the CRL is present.

    Now here lies the problem. The customer is adamant that why did Microsoft not put this information out publicly that we do need port 80 access in the ADFS server for it to function.

    https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx#BKMK_7 

    Can anyone please direct me to the set of (URL / IP's) I need to allow on port 80 so as I can get the setup going. If it's the O365 set of IP's and URL's please let me know which one of them would be suffice. The Federation metadata is something that's not getting updated causing the issue. Any pointers here would be great !

    Thanks,

    D


    Regards, Dhanraj

    Sunday, September 25, 2016 10:09 AM

Answers

  • The online documentation is all about port requirement between the outside and the WAP/ADFS. And in that regard, you don't need the port 80.

    I guess you refer to the Metadata Monitoring of your Azure AD relying party trust (for any other port requirement with Azure AD, please refer to this document: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-ports/ which indeed mention CRL access). It is not a requirement since metadata can be updated manually. The ADFS server try to access the URL: https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml (this is the URL in my lab... Build a long time ago, maybe yours is different, you can check from the GUI). So in my case I need to be able to check the certificate revocation status for the TLS cert of https://nexus.microsoftonline-p.com/ which is:

    [1]CRL Distribution Point
         Distribution Point Name:
              Full Name:
                   URL=http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl
                   URL=http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl
    
    

    But as well the AIA to check the issuer cert validity:

    [1]Authority Info Access
         Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
         Alternative Name:
              URL=http://www.microsoft.com/pki/mscorp/msitwww2.crt
    [2]Authority Info Access
         Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
         Alternative Name:
              URL=http://ocsp.msocsp.com
    

    But this certificate has been issued by another CA, so I also need to be able to access the other CRL and AIA of the chain. Etc... The challenge is often how can my ADFS even do that? Some ADFS server don't even have external name resolution. One option is to opt for a WinHTTP proxy configuration. See there: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384069(v=vs.85).aspx


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Todd Heron Wednesday, September 28, 2016 3:19 AM
    • Marked as answer by Dhanraj Kotian Thursday, October 13, 2016 8:32 AM
    Sunday, September 25, 2016 8:37 PM

All replies

  • The online documentation is all about port requirement between the outside and the WAP/ADFS. And in that regard, you don't need the port 80.

    I guess you refer to the Metadata Monitoring of your Azure AD relying party trust (for any other port requirement with Azure AD, please refer to this document: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-ports/ which indeed mention CRL access). It is not a requirement since metadata can be updated manually. The ADFS server try to access the URL: https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml (this is the URL in my lab... Build a long time ago, maybe yours is different, you can check from the GUI). So in my case I need to be able to check the certificate revocation status for the TLS cert of https://nexus.microsoftonline-p.com/ which is:

    [1]CRL Distribution Point
         Distribution Point Name:
              Full Name:
                   URL=http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl
                   URL=http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl
    
    

    But as well the AIA to check the issuer cert validity:

    [1]Authority Info Access
         Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
         Alternative Name:
              URL=http://www.microsoft.com/pki/mscorp/msitwww2.crt
    [2]Authority Info Access
         Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
         Alternative Name:
              URL=http://ocsp.msocsp.com
    

    But this certificate has been issued by another CA, so I also need to be able to access the other CRL and AIA of the chain. Etc... The challenge is often how can my ADFS even do that? Some ADFS server don't even have external name resolution. One option is to opt for a WinHTTP proxy configuration. See there: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384069(v=vs.85).aspx


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Todd Heron Wednesday, September 28, 2016 3:19 AM
    • Marked as answer by Dhanraj Kotian Thursday, October 13, 2016 8:32 AM
    Sunday, September 25, 2016 8:37 PM
  • Any update?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, October 2, 2016 4:06 PM