SlideShare a Scribd company logo

Troubleshooting Federation, ADFS, and More

Download as PPTX, PDF
Microsoft TechNet - Belgium and Luxembourg
Microsoft TechNet - Belgium and Luxembourg

More info on http://techdays.be.

Technology
1 of 27
Agenda Understand AD FS 2.0 key concepts  Understand AD FS 2.0 challenges and common issues  Identify AD FS 2.0 troubleshooting tools and tips and tricks
Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for Appx For example: • Name • Group membership Security Token “Authenticates” • User Principal Name (UPN) user to the application • Email address of user • Email address of manager AppX • Phone number Relying party (RP)/ • Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STS Partner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
Seeing it All – Fiddler is a great tool
Fiddler as a Man in the Middle Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail  For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
The SAML token is transported in a web page Hidden form with POST method Begins / ends with POST back URL defined via RP configuration in ADFS saml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
AD FS Cookies After Authentication with AD FS  MSISSelectionPersistent: identifies authenticating IP-STS  MSISAuth…: authenticated session cookies  MSISSignOut: Keeps track of all RPs to which the session has authenticated  MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
Web App Cookies Multiple FedAuth cookies  Allows browser session to remain authenticated to web application
Processing claims in ADFS
Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i ST Specify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i p Permit: specifies claims that will be RP e sent to the relying party Relying Party Trusts l Deny: Not processed i Claims Provider Trusts n e
Processing Rules Input claims stream Output claims stream Subsequent rules can process the results of previous rules  A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log  Source shown as AD FS 2.0 Auditing  Enables issued claims to be viewed Step1 (on AD FS 2.0 server):  Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server):  Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
AD FS 2.0 Performance Counters AD FS 2.0 performance counters  AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)  AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter  ServiceModelEndpoint 3.0.0.0(*)*  ServiceModelOperation 3.0.0.0(*)*  ServiceModelService 3.0.0.0(*)* Other performance counters  Memory*, Processor(*)*, Paging File(_Total)*  Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*  APP_POOL_WAS(ADFSAppPool)*  ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*  Web Service(Default Web Site)*  .NET CLR Networking(*)*  Network Interface(*)*  TCPv4*, TCPv6*
Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
Summary Troubleshooting federation can be tricky Key helpers  Event logs – match correlationIDs  Trace logs for developers  Performance counters  Capture tools  Security auditing While systems are working run captures and become familiar with the normal operations End an argument with Windows Azure Access Control Service (ACS)
TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

Recommended

投資還是投機?帶你入門虛擬貨幣與區塊鏈
投資還是投機?帶你入門虛擬貨幣與區塊鏈投資還是投機?帶你入門虛擬貨幣與區塊鏈
投資還是投機?帶你入門虛擬貨幣與區塊鏈Yao-Wei Ou
 
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所Hibino Hisashi
 
TRICK 2022 Results
TRICK 2022 ResultsTRICK 2022 Results
TRICK 2022 Resultsmametter
 
マイクロサービスにおけるテスト自動化 with Karate
マイクロサービスにおけるテスト自動化 with Karateマイクロサービスにおけるテスト自動化 with Karate
マイクロサービスにおけるテスト自動化 with KarateTakanori Suzuki
 
AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...
AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...
AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...NTT DATA Technology & Innovation
 
Debianの修正はどのように出荷されるか
Debianの修正はどのように出荷されるかDebianの修正はどのように出荷されるか
Debianの修正はどのように出荷されるかHideki Yamane
 
Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解都元ダイスケ Miyamoto
 
Dockerが抱えるネットワークの課題
Dockerが抱えるネットワークの課題Dockerが抱えるネットワークの課題
Dockerが抱えるネットワークの課題Asuka Suzuki
 

Recommended

投資還是投機?帶你入門虛擬貨幣與區塊鏈
投資還是投機?帶你入門虛擬貨幣與區塊鏈投資還是投機?帶你入門虛擬貨幣與區塊鏈
投資還是投機?帶你入門虛擬貨幣與區塊鏈Yao-Wei Ou
 
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所
オープンソースソフトウェアで実現するエンタープライズにおけるセキュリティ脅威分析の勘所Hibino Hisashi
 
TRICK 2022 Results
TRICK 2022 ResultsTRICK 2022 Results
TRICK 2022 Resultsmametter
 
マイクロサービスにおけるテスト自動化 with Karate
マイクロサービスにおけるテスト自動化 with Karateマイクロサービスにおけるテスト自動化 with Karate
マイクロサービスにおけるテスト自動化 with KarateTakanori Suzuki
 
AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...
AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...
AWSにおけるIaCを活かしたTerraformの使い方2選! ~循環型IaCとマルチクラウドチックなDR環境~ (HashiTalks: Japan 発...NTT DATA Technology & Innovation
 
Debianの修正はどのように出荷されるか
Debianの修正はどのように出荷されるかDebianの修正はどのように出荷されるか
Debianの修正はどのように出荷されるかHideki Yamane
 
Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解都元ダイスケ Miyamoto
 
Dockerが抱えるネットワークの課題
Dockerが抱えるネットワークの課題Dockerが抱えるネットワークの課題
Dockerが抱えるネットワークの課題Asuka Suzuki
 
事例から探る Oracle APEX 成功パターン
事例から探る Oracle APEX 成功パターン事例から探る Oracle APEX 成功パターン
事例から探る Oracle APEX 成功パターン良 亀井
 
決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話Ryosuke Uchitate
 
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)NTT DATA Technology & Innovation
 
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜Teppei Sato
 
AWS Black Belt Online Seminar 2017 Amazon ElastiCache
AWS Black Belt Online Seminar 2017 Amazon ElastiCacheAWS Black Belt Online Seminar 2017 Amazon ElastiCache
AWS Black Belt Online Seminar 2017 Amazon ElastiCacheAmazon Web Services Japan
 
Spring と TDD
Spring と TDDSpring と TDD
Spring と TDDTakeshi Ogawa
 
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜Jumpei Miyata
 
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)Masaya Tahara
 
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてShinya Yamaguchi
 
Cloud runのオートスケールを検証してみる
Cloud runのオートスケールを検証してみるCloud runのオートスケールを検証してみる
Cloud runのオートスケールを検証してみる虎の穴 開発室
 
Serverless Framework Pluginで行うLambdaテスト
Serverless Framework Pluginで行うLambdaテストServerless Framework Pluginで行うLambdaテスト
Serverless Framework Pluginで行うLambdaテストMasaki Suzuki
 
Webサービス向け、クラウドデザインパターン:アンチパターン紹介
Webサービス向け、クラウドデザインパターン:アンチパターン紹介Webサービス向け、クラウドデザインパターン:アンチパターン紹介
Webサービス向け、クラウドデザインパターン:アンチパターン紹介Yasuhiro Araki, Ph.D
 
Dockerイメージの理解とコンテナのライフサイクル
Dockerイメージの理解とコンテナのライフサイクルDockerイメージの理解とコンテナのライフサイクル
Dockerイメージの理解とコンテナのライフサイクルMasahito Zembutsu
 
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...Anghel Leonard
 
業務システムとマイクロサービス
業務システムとマイクロサービス業務システムとマイクロサービス
業務システムとマイクロサービス土岐 孝平
 
社内ソフトスキルを考える
社内ソフトスキルを考える社内ソフトスキルを考える
社内ソフトスキルを考えるinfinite_loop
 
老朽化したオンプレ環境をクラウドへ移設
老朽化したオンプレ環境をクラウドへ移設老朽化したオンプレ環境をクラウドへ移設
老朽化したオンプレ環境をクラウドへ移設修平 富田
 
XML Metadata Interchange (XMI)
XML Metadata Interchange (XMI)XML Metadata Interchange (XMI)
XML Metadata Interchange (XMI)elliando dias
 
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들Kivol
 
OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築Daein Park
 
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携kumo2010
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 

More Related Content

What's hot

事例から探る Oracle APEX 成功パターン
事例から探る Oracle APEX 成功パターン事例から探る Oracle APEX 成功パターン
事例から探る Oracle APEX 成功パターン良 亀井
 
決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話Ryosuke Uchitate
 
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)NTT DATA Technology & Innovation
 
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜Teppei Sato
 
AWS Black Belt Online Seminar 2017 Amazon ElastiCache
AWS Black Belt Online Seminar 2017 Amazon ElastiCacheAWS Black Belt Online Seminar 2017 Amazon ElastiCache
AWS Black Belt Online Seminar 2017 Amazon ElastiCacheAmazon Web Services Japan
 
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜Jumpei Miyata
 
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)Masaya Tahara
 
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてShinya Yamaguchi
 
Cloud runのオートスケールを検証してみる
Cloud runのオートスケールを検証してみるCloud runのオートスケールを検証してみる
Cloud runのオートスケールを検証してみる虎の穴 開発室
 
Serverless Framework Pluginで行うLambdaテスト
Serverless Framework Pluginで行うLambdaテストServerless Framework Pluginで行うLambdaテスト
Serverless Framework Pluginで行うLambdaテストMasaki Suzuki
 
Webサービス向け、クラウドデザインパターン:アンチパターン紹介
Webサービス向け、クラウドデザインパターン:アンチパターン紹介Webサービス向け、クラウドデザインパターン:アンチパターン紹介
Webサービス向け、クラウドデザインパターン:アンチパターン紹介Yasuhiro Araki, Ph.D
 
Dockerイメージの理解とコンテナのライフサイクル
Dockerイメージの理解とコンテナのライフサイクルDockerイメージの理解とコンテナのライフサイクル
Dockerイメージの理解とコンテナのライフサイクルMasahito Zembutsu
 
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...Anghel Leonard
 
業務システムとマイクロサービス
業務システムとマイクロサービス業務システムとマイクロサービス
業務システムとマイクロサービス土岐 孝平
 
社内ソフトスキルを考える
社内ソフトスキルを考える社内ソフトスキルを考える
社内ソフトスキルを考えるinfinite_loop
 
老朽化したオンプレ環境をクラウドへ移設
老朽化したオンプレ環境をクラウドへ移設老朽化したオンプレ環境をクラウドへ移設
老朽化したオンプレ環境をクラウドへ移設修平 富田
 
XML Metadata Interchange (XMI)
XML Metadata Interchange (XMI)XML Metadata Interchange (XMI)
XML Metadata Interchange (XMI)elliando dias
 
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들Kivol
 
OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築Daein Park
 

What's hot (20)

事例から探る Oracle APEX 成功パターン
事例から探る Oracle APEX 成功パターン事例から探る Oracle APEX 成功パターン
事例から探る Oracle APEX 成功パターン
 
決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話
 
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
モノリスからマイクロサービスへの移行 ~ストラングラーパターンの検証~(Spring Fest 2020講演資料)
 
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
Node.js Native ESM への道 〜最終章: Babel / TypeScript Modules との闘い〜
 
AWS Black Belt Online Seminar 2017 Amazon ElastiCache
AWS Black Belt Online Seminar 2017 Amazon ElastiCacheAWS Black Belt Online Seminar 2017 Amazon ElastiCache
AWS Black Belt Online Seminar 2017 Amazon ElastiCache
 
Spring と TDD
Spring と TDDSpring と TDD
Spring と TDD
 
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
サイボウズの CI/CD 事情 〜Jenkins おじさんは CircleCI おじさんにしんかした!〜
 
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
OSS+AWSでここまでできるDevSecOps (Security-JAWS第24回)
 
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法についてAzure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
 
Cloud runのオートスケールを検証してみる
Cloud runのオートスケールを検証してみるCloud runのオートスケールを検証してみる
Cloud runのオートスケールを検証してみる
 
Serverless Framework Pluginで行うLambdaテスト
Serverless Framework Pluginで行うLambdaテストServerless Framework Pluginで行うLambdaテスト
Serverless Framework Pluginで行うLambdaテスト
 
Webサービス向け、クラウドデザインパターン:アンチパターン紹介
Webサービス向け、クラウドデザインパターン:アンチパターン紹介Webサービス向け、クラウドデザインパターン:アンチパターン紹介
Webサービス向け、クラウドデザインパターン:アンチパターン紹介
 
Dockerイメージの理解とコンテナのライフサイクル
Dockerイメージの理解とコンテナのライフサイクルDockerイメージの理解とコンテナのライフサイクル
Dockerイメージの理解とコンテナのライフサイクル
 
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
Spring Boot Persistence Best Practices - How to effectively shape the @OneToM...
 
業務システムとマイクロサービス
業務システムとマイクロサービス業務システムとマイクロサービス
業務システムとマイクロサービス
 
社内ソフトスキルを考える
社内ソフトスキルを考える社内ソフトスキルを考える
社内ソフトスキルを考える
 
老朽化したオンプレ環境をクラウドへ移設
老朽化したオンプレ環境をクラウドへ移設老朽化したオンプレ環境をクラウドへ移設
老朽化したオンプレ環境をクラウドへ移設
 
XML Metadata Interchange (XMI)
XML Metadata Interchange (XMI)XML Metadata Interchange (XMI)
XML Metadata Interchange (XMI)
 
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
GraphQL in Action - REST와 이별할 때 생각해야 하는 것들
 
OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築OpenShiftでJBoss EAP構築
OpenShiftでJBoss EAP構築
 

Viewers also liked

Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携kumo2010
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
SR Electricals
SR ElectricalsSR Electricals
SR Electricalsjkprs
 
San valentino
San valentinoSan valentino
San valentinobrontolo8
 
The SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyThe SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyEMC
 
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC
 
Insaat kursu-ankara
Insaat kursu-ankaraInsaat kursu-ankara
Insaat kursu-ankarasersld54
 
American horror story
American horror storyAmerican horror story
American horror storyOmar Berrouho
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data ProtectionEMC
 
Painting development
Painting developmentPainting development
Painting developmentmariaricha
 
Math powerpoint
Math powerpointMath powerpoint
Math powerpointwhiteman22
 

Viewers also liked (15)

Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
Microsoft Azure 自習書シリーズ No.6 企業内システムとMicrosoft AzureのVPN接続、ADFS、Office 365との連携
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
SR Electricals
SR ElectricalsSR Electricals
SR Electricals
 
Dario
DarioDario
Dario
 
San valentino
San valentinoSan valentino
San valentino
 
Apple accessories
Apple accessoriesApple accessories
Apple accessories
 
The SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy SurveyThe SANS 2013 Help Desk Security and Privacy Survey
The SANS 2013 Help Desk Security and Privacy Survey
 
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
EMC Big Data | Hadoop Starter Kit | EMC Forum 2014
 
Insaat kursu-ankara
Insaat kursu-ankaraInsaat kursu-ankara
Insaat kursu-ankara
 
Finance
FinanceFinance
Finance
 
American horror story
American horror storyAmerican horror story
American horror story
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data Protection
 
Clement photo essay
Clement photo essayClement photo essay
Clement photo essay
 
Painting development
Painting developmentPainting development
Painting development
 
Math powerpoint
Math powerpointMath powerpoint
Math powerpoint
 

Similar to Troubleshooting Federation, ADFS, and More

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26BIWUG
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Steve Sofian
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS Germany
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 

Similar to Troubleshooting Federation, ADFS, and More (20)

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web Day
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 

More from Microsoft TechNet - Belgium and Luxembourg

More from Microsoft TechNet - Belgium and Luxembourg (20)

Windows 10: all you need to know!
Windows 10: all you need to know!Windows 10: all you need to know!
Windows 10: all you need to know!
 
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de KeukelaereConfiguration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Deploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr ClientsDeploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr Clients
 
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
 
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware UpdatingHands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
 
Jump start your application monitoring with APM
Jump start your application monitoring with APMJump start your application monitoring with APM
Jump start your application monitoring with APM
 
What’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent ChatWhat’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent Chat
 
What's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & DevicesWhat's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & Devices
 
Office 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and managementOffice 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and management
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options
 
The application model in real life
The application model in real lifeThe application model in real life
The application model in real life
 
Microsoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solutionMicrosoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solution
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
 
Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management
 
Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Troubleshooting Federation, ADFS, and More

  • 1.
  • 2. Agenda Understand AD FS 2.0 key concepts  Understand AD FS 2.0 challenges and common issues  Identify AD FS 2.0 troubleshooting tools and tips and tricks
  • 3. Key Concepts Issuer IP-STS Authenticates user Identity Provider (IP) Security Token Service (STS) User / Subject /Principal Requests token for AppX Active Directory The Security Token ST Issues Security Token Contains claims about the user crafted for Appx For example: • Name • Group membership Security Token “Authenticates” • User Principal Name (UPN) user to the application • Email address of user • Email address of manager AppX • Phone number Relying party (RP)/ • Other attribute values Resource provider Trusts the Security Token Signed by issuer from the issuer
  • 4. Working with Partners Your Your Partner Claims-aware app AD FS 2.0 STS AD FS 2.0 STS & IP Active Directory Browse app App trusts STS Your STS Partner trusts your user Not authenticated partner’s STS Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS Return new ST Process token Send Token Return cookies and page
  • 5.
  • 6. X-path Query Use Find… Shown as the ActivityID: Create an XPath form query
  • 7. Seeing it All – Fiddler is a great tool
  • 8. Fiddler as a Man in the Middle Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
  • 9. Man-In-The-Middle Attack Prevention appcmd.exe set config "Default Web Site/ADFS/ls" - section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost Depending on the client and server versions, Channel Binding Token (CBT) will be enforced to prevent Man-in-the-middle attacks and authentication will fail  For Fiddler SSL interception temporarily disable CBT on the AD FS server  Configured through the Configuration Editor for the Default Websiteadfsls or via a script
  • 10. First redirect to STS Decoded redirect URL: %2f decodes to / https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z
  • 11. The SAML token is transported in a web page Hidden form with POST method Begins / ends with POST back URL defined via RP configuration in ADFS saml:Assertion SAML claims SAML Token Signature X.509 Certificate of signing party (includes public key) Unchanged wctx=rm=0&id=passive&ru=%2fFederation%2f& since initial Submit button request Java Script to automatically POST page The SAML data is always signed, it can be encrypted if required
  • 12. AD FS Cookies After Authentication with AD FS  MSISSelectionPersistent: identifies authenticating IP-STS  MSISAuth…: authenticated session cookies  MSISSignOut: Keeps track of all RPs to which the session has authenticated  MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error  Time-out default: 6 request for authentication to same RP within a short space of time
  • 13. Web App Cookies Multiple FedAuth cookies  Allows browser session to remain authenticated to web application
  • 14.
  • 16. Processing Claims Rules Specify the users that are Claims Provider Trusts C permitted to access the l relying party AD a i ST Specify incoming claims that will m be accepted from the claims s provider and passed to the pipeline P i p Permit: specifies claims that will be RP e sent to the relying party Relying Party Trusts l Deny: Not processed i Claims Provider Trusts n e
  • 17. Processing Rules Input claims stream Output claims stream Subsequent rules can process the results of previous rules  A custom rule can be created to only add the results to the input stream  Replace the “issue” statement with “add”
  • 18. Using attribute stores Input claims stream Output claims stream AD SQL LDAP Automatically added
  • 19. Viewing the claims pipeline AD FS 2.0 can be configured to log events into the security log  Source shown as AD FS 2.0 Auditing  Enables issued claims to be viewed Step1 (on AD FS 2.0 server):  Via Group or Local Policy  Security SettingsLocal PoliciesUser Rights Management  Add the ADFS service account to the “Generate security audits properties” Step 2 (on AD FS 2.0 server):  Run auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  • 20. AD FS 2.0 Security Audits Step3 (on AD FS 2.0 server):
  • 21. Security Audits Event IDs Logon Event ID Claims 4624 provider Deny input input Event ID Issuance Acceptance 324 Authorization Rules Transform Rules Event ID Permit Event ID 299 process 500 Issuance Rules Event ID output input 501 Issuance Transform Rules Event ID 299 Event ID 500
  • 22.
  • 23. AD FS 2.0 Performance Counters AD FS 2.0 performance counters  AD FS 2.0* (ex. token requests/sec, federation metadata requests/sec)  AD FS 2.0 update rollup introduced a new performance counter and fixed some performance bugs WCF performance counter  ServiceModelEndpoint 3.0.0.0(*)*  ServiceModelOperation 3.0.0.0(*)*  ServiceModelService 3.0.0.0(*)* Other performance counters  Memory*, Processor(*)*, Paging File(_Total)*  Process(Microsoft.IdentityServer.ServiceHost) (lsass) (w3wp) (w3wp#1)*  APP_POOL_WAS(ADFSAppPool)*  ASP.NET Applications(_LM_W3SVC_1_ROOT_adfs_ls)*  Web Service(Default Web Site)*  .NET CLR Networking(*)*  Network Interface(*)*  TCPv4*, TCPv6*
  • 24. Resources AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK (updated in 2012!) AD FS 2.0 content map
  • 25. Summary Troubleshooting federation can be tricky Key helpers  Event logs – match correlationIDs  Trace logs for developers  Performance counters  Capture tools  Security auditing While systems are working run captures and become familiar with the normal operations End an argument with Windows Azure Access Control Service (ACS)
  • 26. TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
  • 27. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk