locked
Certificate Authentication Popup not showing RRS feed

  • Question

  • Hi all,

    I know the question is already present here but not answered. We have the same problem, that no popup is showing for cert based auth.

    We have the normal setup for AzureAD:

    - AADCSrv with AzureAD Connect

    - ADFSSrv1,2,3 with ADFS-Farm on SQL (georedundancy)

    - ADFSSrv1 in DMZ with WAP installed

    Its all working except certificate based auth. Port 49443 and 443 is open. Server certificate is a public one and present on all servers for ADFS. Client certificate has the "Client authentication" EKU.

    Any ideas on this?

    Regards

    Friday, July 7, 2017 5:57 AM

All replies

  • Can you share a Fiddler trace taken from the client?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, July 7, 2017 9:26 PM
  • Hi,

    sorry but i dont have permissions to upload that information. I addition i checked all ssl settings but i am not sure. We use a wildcard certificate which is working for everything except certificate based auth. Regarding ssl config i am a little confused:

    Are those settings corrent?

    SSL Certificate bindings:
    -------------------------

        Hostname:port                : adfs.domain.com:443
        Certificate Hash             : <hash>
        Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : AdfsTrustedDevices
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled

        Hostname:port                : localhost:443
        Certificate Hash             : <hash>
        Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : AdfsTrustedDevices
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled

        Hostname:port                : adfs.domain.com:49443
        Certificate Hash             : <hash>
        Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : AdfsTrustedDevices
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled

    Tuesday, July 11, 2017 9:21 AM
  • Also checked IE settings (intranet sites) + root and intermediate store (also right places) + firewall settings + gMSA (access priv key). Also ADFS settings are default. Just installed AAD Connect on Server 2016 with connection to server 2016 ADFS farm with SQL (AAG):

    PS C:\Windows\system32> Get-AdfsProperties | select *


    AcceptableIdentifiers                      : {}
    AddProxyAuthorizationRules                 : exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type =
                                                 "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
                                                                    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^AD AUTHORITY$" ]
                                                                                       => issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})", param=c.
    Value );
                                                                    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid", Issuer =~ "^SELF AUTHORITY$" ]
                                                                                       => issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0})", param=c
    .Value );
    ArtifactDbConnection                       : Data Source=ADFSListener;Initial Catalog=AdfsArtifactStore;Integrated Security=True;Min Pool Size=20
    AuthenticationContextOrder                 : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,
                                                 urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
    AuditLevel                                 : {Basic}
    AutoCertificateRollover                    : True
    CertificateCriticalThreshold               : 2
    CertificateDuration                        : 365
    CertificateGenerationThreshold             : 20
    CertificatePromotionThreshold              : 5
    CertificateRolloverInterval                : 720
    CertificateSharingContainer                : CN=b7dc4d0c-c662-41a2-a18c-d4a15011e879,CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com
    CertificateThresholdMultiplier             : 1440
    ClientCertRevocationCheck                  : None
    ContactPerson                              : Microsoft.IdentityServer.Management.Resources.ContactPerson
    DisplayName                                : <Company>
    IntranetUseLocalClaimsProvider             : False
    ExtendedProtectionTokenCheck               : Allow
    FederationPassiveAddress                   : /adfs/ls/
    HostName                                   : adfs.domain.com
    HttpPort                                   : 80
    HttpsPort                                  : 443
    TlsClientPort                              : 49443
    Identifier                                 : http://adfs.domain.com/adfs/services/trust
    IdTokenIssuer                              : https://adfs.domain.com/adfs
    InstalledLanguage                          : en-US
    LogLevel                                   : {Errors, FailureAudits, Information, Verbose...}
    MonitoringInterval                         : 1440
    NetTcpPort                                 : 1501
    NtlmOnlySupportedClientAtProxy             : True
    OrganizationInfo                           :
    PreventTokenReplays                        : True
    ProxyTrustTokenLifetime                    : 21600
    ReplayCacheExpirationInterval              : 60
    SignedSamlRequestsRequired                 : False
    SamlMessageDeliveryWindow                  : 5
    SignSamlAuthnRequests                      : False
    SsoLifetime                                : 480
    PersistentSsoLifetimeMins                  : 129600
    KmsiLifetimeMins                           : 1440
    PersistentSsoEnabled                       : True
    PersistentSsoCutoffTime                    : 1/1/0001 1:00:00 AM
    KmsiEnabled                                : False
    LoopDetectionEnabled                       : True
    LoopDetectionTimeIntervalInSeconds         : 20
    LoopDetectionMaximumTokensIssuedInInterval : 5
    PasswordValidationDelayInMinutes           : 60
    SendClientRequestIdAsQueryStringParameter  : False
    WIASupportedUserAgents                     : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
    BrowserSsoSupportedUserAgents              : {Windows NT 1, Windows Phone 1}
    ExtranetLockoutThreshold                   : 2147483647
    ExtranetLockoutEnabled                     : False
    ExtranetObservationWindow                  : 00:30:00
    GlobalRelyingPartyClaimsIssuancePolicy     : c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"] => issue(claim = c);c:[Type ==
                                                 "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"] => issue(claim = c);
    ExtranetLockoutRequirePDC                  : True
    LocalAuthenticationTypesEnabled            : True
    RelayStateForIdpInitiatedSignOnEnabled     : False
    BrowserSsoEnabled                          : True
    DelegateServiceAdministration              :
    AllowSystemServiceAdministration           : False
    AllowLocalAdminsServiceAdministration      : True
    CurrentFarmBehavior                        : 3
    DeviceUsageWindowInDays                    : 14
    EnableIdpInitiatedSignonPage               : True
    IgnoreTokenBinding                         : False
    EnableOauthLogout                          : False


    • Edited by EliWallic Tuesday, July 11, 2017 10:45 AM
    Tuesday, July 11, 2017 9:29 AM
  • You can edit Fiddler trace to remove whatever you might think is sensitive (passwords, IP, names, headers etc...).

    You can use the Developer View?Network of IE or Edge to see if the query goes through.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 13, 2017 12:53 PM
  • I got a pending and also no redirect to 49443. Since 2016 Server it should use 443 as default if he certificate and dns settings are corrent right?

    

    Monday, July 17, 2017 1:58 PM
  • If you've got the additional SAN set correctly and DNS registered record and set via Powershell  the Set-AdfsAlternateTlsClientBinding cmdlet to bind, you can use the alternate host name approach on 443.

    http://blog.auth360.net

    Monday, July 17, 2017 7:13 PM
  • Hi,

    we have an wildcard certificate and maybe because of this we are getting the error: Set-AdfsAlternateTlsClientBinding : PS0319: Validation task 'Test-_InternalAdfsClientTlsCertificate' on AD FS server 'ADFS.FQDN.com' failed with error 'The specified SSL certificate with thumbprint 'masked' does not meet the requirements for configuring alternate Tls Client binding. For more information see http://go.microsoft.com/fwlink/?LinkId=613586.'.

    Our current certificate bindings:

    PS C:\> Get-AdfsSslCertificate

    HostName                           PortNumber  CertificateHash
    --------                           ----------  ---------------
    adfs.public.domain                443      a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
    localhost                             443      a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
    adfs.public.domain               49443     a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
    certauth.adfs.public.domain       443      a94a8fe5ccb19ba61c4c0873d391e987982fbbd3


    PS C:\> netsh http show sslcert

    SSL Certificate bindings:
    -------------------------

        Hostname:port                : adfs.public.domain:443
        Certificate Hash             : a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
        Application ID               : {3a732e46-4b42-460d-9c74-6a0686d70922}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : AdfsTrustedDevices
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled

        Hostname:port                : localhost:443
        Certificate Hash             : a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
        Application ID               : {3a732e46-4b42-460d-9c74-6a0686d70922}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : AdfsTrustedDevices
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled

        Hostname:port                : adfs.public.domain:49443
        Certificate Hash             : a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
        Application ID               : {3a732e46-4b42-460d-9c74-6a0686d70922}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Enabled
        Reject Connections           : Disabled

        Hostname:port                : certauth.adfs.public.domain:443
        Certificate Hash             : a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
        Application ID               : {3a732e46-4b42-460d-9c74-6a0686d70922}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : AdfsTrustedDevices
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled

    Tuesday, July 18, 2017 7:45 AM
  • Update:

    If it configure this with an gMSA its not working. If i configure the ADFS with an normal AD user it is working.

    SPNs are on both correct (host/adfs.public.domain) and the gMSA has the PrincipalsAllowedToRetrieveManagedPassword set to all farm members

    Test-ADServiceAccount returns on all farm members $True

    We did a schema update before installing our first 2016 ADFS. AD level is 2012 R2.

    Regards


    • Edited by EliWallic Wednesday, July 19, 2017 1:29 PM
    Wednesday, July 19, 2017 1:28 PM
  • Hi Eli,

    I'll have to test this and come back to you. I've used wildcards with the WAP before and they haven't been an issue. However, the certauth reference in the SAN is a sub-domain that is not covered by a wildcard cert, unless your wildcard cert was to allude to *.adfs.domain.com in the SAN. Not sure if that is even possible now as cert vendors are locking down on this sort of thing.


    http://blog.auth360.net

    Wednesday, July 19, 2017 10:14 PM
  • Hi,

    thanks a lot. Yes we have a normal WC-Certificate for *.domain.com. I am wondering that everythign is working fine except of certificate based auth. In additional what is not clear for me is that if its possible to have 3 AD-Sites. Site1 with 2012 R2 DC (where ADFS was installed first with gMSA). After that Site 2 and 3 were installed with an 2008R2 DC and ADFS 2016 (separate server) which are joined to the ADFS-farm.

    Thursday, July 20, 2017 6:16 AM
  • I have reinstalled wverything with an normal ad user. its working now except of the proxy.

    If i enable the ADFS Tracing i get:

    Exception: Exception of type 'Microsoft.IdentityServer.ProxyService.CertificateNotPresentedException' was thrown.
    StackTrace:    at Microsoft.IdentityServer.ProxyService.TlsClientRequestHandler.ProcessClientRequest(WrappedHttpListenerContext context)
       at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.OnGetContext(WrappedHttpListenerContext context)

    and

    Client certificate is null, but a client cert is required for tlsclient authentication

    But from internal it works. 

    Any ideas on this?

    Regards

    Wednesday, July 26, 2017 9:37 AM
  • Could rebuild the problem within an completely new environment in azure:

    VM1 - 2012R2 IIS for CRL

    VM2 - 2008R2 Offline CA

    VM3 - 2012R2 Intermediate CA 256bit

    VM4 - 2012R2 DC with domain & forest level 2008R2 & KDSRootKey for gMSA

    VM5 - 2016 ADFS installed with wildcard cert and ad user (no gMSA)

    VM6 - 2016 WAP in DMZ

    User cert with the default user template = Certbased auth against ADFS is working but not against WAP

    First install with gMSA was not working (also not with auth against ADFS itself)

    Any ideas?

    Monday, July 31, 2017 2:00 PM
  • Can you make sure the cert of your issuing CA is on the Trusted Root Certificate store of the computer store of the WAP server?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 8, 2017 3:26 PM
  • Hi Pierre,

    yes it is on both and only one time present, so no duplicates.

    Root in root store and intermediate in intermediate store.

    Wednesday, August 9, 2017 5:45 AM
  • Hi, any updates on this? i could provide an fiddler trace now from my azure env with the same behavior.

    Regards

    Wednesday, August 30, 2017 8:05 AM