none
ADFS 4.0 user certificate authentication RRS feed

  • Question

  • We have a ADFS 2016 environment with farm level 2016. We have about 60+ RPT’s which are all working fine.

    Now we are trying to enable user certificate authentication for a new RPT and we’re having trouble settings this up. Tried to search the internet to find a how-to and found one website (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) with a dead link.

    Certificate authentication basically works when just enabling the Certificate Authentication, authentication method and disabling the other methods, but with that setting all our RPT’s have certificate authentication. Further we do not want the user to select the correct authentication method on the Home Realm Discovery Page. So all RPT's have to use "Active Directory" and just one needs to use certificate authentication.

    What we tried is to create a new “Claim Provider Trust”, which is described poorly in https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim and with the powershell command we can pinch this to the RPT (Set-AdfsRelyingPartyTrust -TargetName “SampApp” -ClaimsProviderName @(“Test”)). With this, we skip the WIA/FBA authentication and would like to use the user certificate authentication, and from here we have no information to continue.

    Is the CPT the right way to accomplish this and is there somewhere a nice Microsoft Article which describes how to set up certificate authentication this way? Or is there a nices/easier way to accomplish this? The next step will be to validate the certificate and gather information like the CN with claims to pass it through.



    • Edited by Wimlem Thursday, December 7, 2017 1:08 PM
    Thursday, December 7, 2017 1:03 PM

Answers

  • Well you can play with following javascript, make sure you test in dev env first!

    if (typeof Login != 'undefined'){  
    	// hide login prompt
    	var loginPrompt=document.getElementById('loginForm');
    	if (loginPrompt)
    	{
    		loginPrompt.style.display='none';
    	}
    	// hide login message
    	var loginMessage=document.getElementById('loginMessage');	
    	if (loginMessage)
    	{
    		loginMessage.style.display='none';
    	}
    	
    	// add illustration to certificate authentication, be sure to upload the smartcards.png file
    	var loginCertificateAuthentication=document.getElementById('CertificateAuthentication');
    	if (loginCertificateAuthentication)
    	{
    		loginCertificateAuthentication.innerHTML=loginCertificateAuthentication.innerHTML.replace('...','...<br><br>')
    		loginCertificateAuthentication.innerHTML+='<br><br><img src="/adfs/portal/images/smartcards.png" border="0" alt="Smart card login illustration">'
    	}
    }  

    for hiding certificate authentication you can use following

    if (typeof Login != 'undefined'){  
    	
    	// remove certificate authentication
    	var loginCertificateAuthentication=document.getElementById('CertificateAuthentication');
    	if (loginCertificateAuthentication)
    	{
    		loginCertificateAuthentication.style.display='none';
    	}
    }

    onload.js modification is decribed in:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

    • Marked as answer by Wimlem Monday, December 11, 2017 1:25 PM
    Friday, December 8, 2017 1:47 PM
  • Hi,

    As far as I know this is not possible out-of-box. I think creating claim provider trust is not a way to go. You would need to setup another ADFS instance and it would complicate the overall design.

    However it is possible to realize this by:

    1) Enabling both certificate and standard/pwd authentication

    2) Creating custom web theme for the RP, editing logon page to hide pwd authentication / display certificate only

    3) Editing existing theme for all the other RPs, hide certificate authentication

    4) Always requiring authentication for the certificate authenticated RP

    5) Checking for authentication method when issuing tokens for certificate authenticated RP.

    As you can see it is not straightfowrard, and probably not suitable for a forum post. Maybe I'll write a wiki but I need more time.

     Martin

     

    • Marked as answer by Wimlem Monday, December 11, 2017 1:25 PM
    Friday, December 8, 2017 10:16 AM
  • Hi,

    most probably the NetScaler is stripping the required certificate, not sure but is it possible to do ProxySSL like authentication with NetScaler as with F5? Or try to publish web application proxy without SSL offloading.

    I guess you would like to check following Citrix guide:

    https://www.citrix.com/content/dam/citrix/en_us/documents/solution-brief/implementing-client-certification-authentication-for-adfs-proxy-on-netscaler.pdf

    Martin

    • Marked as answer by Wimlem Wednesday, December 20, 2017 8:31 AM
    Friday, December 15, 2017 12:02 PM

All replies

  • Hi,

    As far as I know this is not possible out-of-box. I think creating claim provider trust is not a way to go. You would need to setup another ADFS instance and it would complicate the overall design.

    However it is possible to realize this by:

    1) Enabling both certificate and standard/pwd authentication

    2) Creating custom web theme for the RP, editing logon page to hide pwd authentication / display certificate only

    3) Editing existing theme for all the other RPs, hide certificate authentication

    4) Always requiring authentication for the certificate authenticated RP

    5) Checking for authentication method when issuing tokens for certificate authenticated RP.

    As you can see it is not straightfowrard, and probably not suitable for a forum post. Maybe I'll write a wiki but I need more time.

     Martin

     

    • Marked as answer by Wimlem Monday, December 11, 2017 1:25 PM
    Friday, December 8, 2017 10:16 AM
  • Thank you for pointing me in the right direction.

    1. Done
    2/3. How to hide the pwd/certificate authentication?
    4. Done
    5. I can do that with access control policies, by checking the publisher for example, if i'm correct.

    So far i created a new page for the certificates. I still have 2 options to log in (pwd + certificate) and with access controll policies, only certificate login works. I'm able to get information from the certificate and pass this through with the claims. I think, with step 2/3 solved, it should be working!

    Willem

    Friday, December 8, 2017 12:53 PM
  • Well you can play with following javascript, make sure you test in dev env first!

    if (typeof Login != 'undefined'){  
    	// hide login prompt
    	var loginPrompt=document.getElementById('loginForm');
    	if (loginPrompt)
    	{
    		loginPrompt.style.display='none';
    	}
    	// hide login message
    	var loginMessage=document.getElementById('loginMessage');	
    	if (loginMessage)
    	{
    		loginMessage.style.display='none';
    	}
    	
    	// add illustration to certificate authentication, be sure to upload the smartcards.png file
    	var loginCertificateAuthentication=document.getElementById('CertificateAuthentication');
    	if (loginCertificateAuthentication)
    	{
    		loginCertificateAuthentication.innerHTML=loginCertificateAuthentication.innerHTML.replace('...','...<br><br>')
    		loginCertificateAuthentication.innerHTML+='<br><br><img src="/adfs/portal/images/smartcards.png" border="0" alt="Smart card login illustration">'
    	}
    }  

    for hiding certificate authentication you can use following

    if (typeof Login != 'undefined'){  
    	
    	// remove certificate authentication
    	var loginCertificateAuthentication=document.getElementById('CertificateAuthentication');
    	if (loginCertificateAuthentication)
    	{
    		loginCertificateAuthentication.style.display='none';
    	}
    }

    onload.js modification is decribed in:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

    • Marked as answer by Wimlem Monday, December 11, 2017 1:25 PM
    Friday, December 8, 2017 1:47 PM
  • The next step in the proces, is to make certificate authentication available from external (Internet). Unfortunatly, this throws an error on the client and ADFS server;

    Browser;

    An error occurred
    No valid client certificate found in the request. No valid certificates found in the user's certificate store. Please try again choosing a different authentication method.
    <form action="https://certauth.adfsserver.com/adfs/certauth/idpinitiatedsignon.aspx/?client-request-id=22c9591a-67d1-4fcb-6501-0080010000c5" id="options" method="post"><input id="optionSelection" name="AuthMethod" type="hidden" /> </form>
    • Activity ID: 22c9581a-67d1-4fbb-6501-0080010000c5
    • Relying party: Test
    • Error time: Thu, 14 Dec 2017 12:59:15 GMT
    • Cookie: enabled
    • User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko

    ADFS server;

    Exception details: 
    Microsoft.IdentityServer.NoValidCertificateException: MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked. 
    Error Code: 0x490 

    The CRL is available from the internet, so that should not be a problem. Do you have any idea?


    • Edited by Wimlem Thursday, December 14, 2017 2:07 PM
    Thursday, December 14, 2017 2:07 PM
  • Do you present a certificate when authenticating? Is the ADFS/WAP by any chance behind a load-balancer/ssl offloader such as F5?

    Martin

    Friday, December 15, 2017 11:31 AM
  • Do you present a certificate when authenticating? Is the ADFS/WAP by any chance behind a load-balancer/ssl offloader such as F5?

    Martin

    It is behind a NetScaler.
    Friday, December 15, 2017 11:58 AM
  • Hi,

    most probably the NetScaler is stripping the required certificate, not sure but is it possible to do ProxySSL like authentication with NetScaler as with F5? Or try to publish web application proxy without SSL offloading.

    I guess you would like to check following Citrix guide:

    https://www.citrix.com/content/dam/citrix/en_us/documents/solution-brief/implementing-client-certification-authentication-for-adfs-proxy-on-netscaler.pdf

    Martin

    • Marked as answer by Wimlem Wednesday, December 20, 2017 8:31 AM
    Friday, December 15, 2017 12:02 PM
  • Hi,

    most probably the NetScaler is stripping the required certificate, not sure but is it possible to do ProxySSL like authentication with NetScaler as with F5? Or try to publish web application proxy without SSL offloading.

    I guess you would like to check following Citrix guide:

    https://www.citrix.com/content/dam/citrix/en_us/documents/solution-brief/implementing-client-certification-authentication-for-adfs-proxy-on-netscaler.pdf

    Martin

    You are right again ;-)

    With a ssl bridge, it works fine. Thank you very much for your time and effort!

    • Marked as answer by Wimlem Wednesday, December 20, 2017 8:31 AM
    • Unmarked as answer by Wimlem Wednesday, December 20, 2017 8:31 AM
    Wednesday, December 20, 2017 8:31 AM
  • We went a step further with ADFS 4.0, client certificates and the netscaler. Because of security requirements, we want the netscaler to accept the certificate and pass it through to the ADFS servers. The document in this topic, describes a kerberos constraint delegation method, which we cannot get to work.

    Is there a way, to let the netscaler ask for the client certificate, and pass it through to the ADFS server. Perhaps send the certificate in base64 form in the header or something like that. The adfs server should validate it and then send the token back to the client.


    Friday, January 12, 2018 1:23 PM
  • Hi, unfortuantely I don't think so. The constrained delegation is the correct way in this setup.

    Or you can setup your netscaler as web application proxy, see following documents for more information:

    https://xenappblog.com/2016/netscaler-adfs-proxy/

    https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdf

    Unfortunatelly I don't have any practical experience with netscaler/adfs proxy installations.

    Martin

    Friday, January 12, 2018 1:36 PM
  • We ended up with installing two WAP servers. KCD with Netscaler in the DMZ was not an option, also the same with SSL bridging without WAP servers.

    With the script below, the client certificate works fine. However, if no certificate is availabe, the page stops with an error. Is it somehow possible to set the fallback to FBA, to manually log in if there is no certificate?

    There is a option which says "sign in with different options" but that asks for the certificate again.

    if (typeof Login != 'undefined'){  
    	// hide login prompt
    	var loginPrompt=document.getElementById('loginForm');
    	if (loginPrompt)
    	{
    		loginPrompt.style.display='none';
    	}
    	// hide login message
    	var loginMessage=document.getElementById('loginMessage');	
    	if (loginMessage)
    	{
    		loginMessage.style.display='none';
    	}
    	
    	// add illustration to certificate authentication, be sure to upload the smartcards.png file
    	var loginCertificateAuthentication=document.getElementById('CertificateAuthentication');
    	if (loginCertificateAuthentication)
    	{
    		loginCertificateAuthentication.innerHTML=loginCertificateAuthentication.innerHTML.replace('...','...<br><br>')
    		loginCertificateAuthentication.innerHTML+='<br><br><img src="/adfs/portal/images/smartcards.png" border="0" alt="Smart card login illustration">'
    	}
    }  

    Is there a Microsoft KB article which describes all kind of customizations to the onload.js  and options? For example, what options do we have with "loginPrompt.style.display='none';"

    What we want; Hitting the ADFS page for the RPT and ask/popup for Certificate authentication. If no certificate is available, cancel the popup and use the "sign in with different options" option with the FBA option.



    • Edited by Wimlem Wednesday, February 7, 2018 1:06 PM
    Wednesday, February 7, 2018 1:02 PM