Wormable Critical HTTP Protocol Stack Remote Code Execution Vulnerability affects Windows Server 2019- and 2022-based AD FS Servers (CVE-2022-21907)

During its Patch Tuesday on January 11th, 2022, Microsoft addressed a Remote Code Execution (RCE) security vulnerabilities that affects Windows Server 2019- and Windows Server 2022-based Active Directory Federation Services (AD FS) servers. About the vulnerability CVE-2022-21907 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. … Continue reading "Wormable Critical HTTP Protocol Stack Remote Code Execution Vulnerability affects Windows Server 2019- and 2022-based AD FS Servers (CVE-2022-21907)"

Three vulnerabilities in AD FS were addressed at this month's Patch Tuesday

When looking at the October 2021 Patch Tuesday today, I noticed three updates that specifically address vulnerabilities in Active Directory Federation Services (AD FS). About the vulnerabilities Three vulnerabilities were addressed today: CVE-20221-40456 AD FS Security Feature Bypass Vulnerability CVE-2021-40456 is a vulnerability that could allow an attacker to bypass BannedIPList entries for WS-Trust workflows … Continue reading "Three vulnerabilities in AD FS were addressed at this month's Patch Tuesday"

How to check if Azure AD has processed the hybrid authentication method change

Many organizations with Azure AD tenant are currently transitioning from federation to Pass-through Authentication (PTA) and/or authentication based on Password Hash Synchronization (PHS). The Staged Roll-out feature is a straight-forward way to perform this transition. Microsoft has described how to migrate from federation to cloud authentication in Azure Active Directory using this feature. Note: In … Continue reading "How to check if Azure AD has processed the hybrid authentication method change"

HOWTO: Enable Seamless Single Sign-on when AD FS is Configured as Sign-in Method

Microsoft has introduced the Staged Rollout functionality to convert the sign-in method for people in your organization from federated authentication to managed authentication. However, there is one slight issue with single sign-on. In this blogpost, I’ll address the issue of having both Seamless Single Sign-on and Federation enabled in Azure AD Connect. About Staged Rollout … Continue reading "HOWTO: Enable Seamless Single Sign-on when AD FS is Configured as Sign-in Method"

Adding an AD FS Server to an existing Farm using Azure AD Connect

Setting up an AD FS Farm with Azure AD Connect is easy when you use Azure AD Connect. Its configuration wizard is able to configure all the required AD FS settings and Web Application Proxy settings on two domain-joined servers you point the wizard to. This begs the question: How do you extend the AD … Continue reading "Adding an AD FS Server to an existing Farm using Azure AD Connect"

Setting up Hybrid Identity with AD FS through Azure AD Connect

When Active Directory on-premises and Azure AD work together, it’s called Hybrid Identity. Hybrid Identity is relatively easy to setup, when you use the Express Settings for Azure AD Connect. However, setting up Hybrid Identity with Active Directory Federation Services (AD FS) is not that hard either. I’ll show you how to achieve this goal … Continue reading "Setting up Hybrid Identity with AD FS through Azure AD Connect"

On-premises Identity-related updates and fixes for January 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the Identity-related updates and fixes we saw for January 2021:   Windows Server 2016 We observed the following update for Windows Server 2016: KB4598243 January 12, 2021 … Continue reading "On-premises Identity-related updates and fixes for January 2021"

Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS

I feel we are at a crossroads. Five years ago, I made the case for token-signing and token-decrypting certificates in Active Directory Federation Services (AD FS) with a validity of 5-year. Today, I’m making the case for 30-day Token-signing and Token-decrypting certificates, based on my understanding of the UNC2452 attack campaign (also known as ‘SolariGate’). … Continue reading "Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS"

From the field: The Case of the Unstable AD FS Farm

Troubleshooting stories from the field are the best. That’s why I like writing them down. Although, sometimes they might appear as straight cases of schadenfreude, I feel there are lessons to be learned for anyone, if you’re willing to look closely and listen carefully. Last month, I experienced an issue with an AD FS farm, … Continue reading "From the field: The Case of the Unstable AD FS Farm"

KnowledgeBase: The WID Service consumes 100% CPU after transitioning AD FS Servers

This week, I encountered unexpected behavior with Active Directory Federation Services (AD FS) on a Windows Server installation that an organization had recently transitioned to from an AD FS server running a previous version of Windows Server. I’m sharing my experiences, so others may benefit from our troubleshooting and solution.   The situation Your organization … Continue reading "KnowledgeBase: The WID Service consumes 100% CPU after transitioning AD FS Servers"