Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the benefits of implementing AD FS with a back-end SQL Server (cluster) as opposed to implementing it with Windows Internal Database (WID):

• SAML Artifact Resolution
• Token Replay Detection

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. The same information applies to AD FS Servers running Windows Server 2016 with Desktop Experience (Full).

Why deploy AD FS with Microsoft SQL?

There are several reasons to deploy Active Directory Federation Services (AD FS) with a Microsoft SQL Server back-end. The organizations for which I’ve deployed AD FS with SQL Server chose to do so mainly because they have a strategy to centralize their Microsoft SQL databases on a highly-available Microsoft SQL cluster. This way, all the information security measures surrounding that data had to be applied only once.

Other benefits of using a back-end Microsoft SQL Server are:

• AD FS admins have read/write access to the database on all AD FS servers, eliminating the situation where only the primary AD FS server has read/write access and, thus, can only be used to manage the AD FS farm.
• AD FS admins are not limited to 30 AD FS servers in their AD FS farm.
• SQL admins can more easily manage the Microsoft SQL Server, since it is not limited in the same way Windows Internal Database is limited.

However, there are two other reasons as well:

Why would you want SAML Artifact Resolution?

In an AD FS implementation using Windows Internal Database to store and replicate the AD FS configuration, when a SAML authentication is performed, the responding claim is sent back.

With Artifact Resolution, instead of the actual claim, a reference is sent back. Based on the reference, the claim can then be retrieved. When used, Artifact Resolution allows for all parties involved to reference the original SAML claim. All access to the references can then be logged and audited to allow for the permitted access, only.

Artifact Resolution is only available when AD FS is implemented with a back-end Microsoft SQL Cluster.

Why would you want Token Replay Detection?

In an AD FS implementation using Windows Internal Database to store and replicate the AD FS configuration, tokens that are retrieved can be reused to an extent. When Replay detection is enabled, AD FS no longer allows for the WS-Federation passive profile and the SAML WebSSO profile.

Getting ready

To change the security headers throughout the AD FS infrastructure, make sure to meet the following requirements:

Information requirements

In the organization, make sure there is consensus on the name for the AD FS farm.
Make sure a TLS certificate is available for the AD FS farm name, or request it from a Certification Authority (CA). Install the certificate in the personal certificate store for the local machine.

SYSTEM REQUIREMENTS for proposed AD FS Servers

To create an AD FS Farm, make sure a domain-joined Windows Server 2016 installation is available to commission as an AD FS server. Additionally, make sure the AD FS farm name is resolvable to this machine in the appropriate DNS zones.

Make sure these systems are installed with the latest cumulative Windows Updates. At a minimum, make sure the proposed AD FS Servers running Windows Server 2016 have the July 2019 Cumulative update (KB4507459) installed

System requirements for SQL Servers

For AD FS with SQL Server-based databases, have a SQL Server available on the network, that is also resolvable via DNS and reachable by the proposed AD FS server(s).

Make sure the Microsoft SQL Server is configured with a TLS certificate to be able to encrypt the data with the AD FS Servers.  Also make sure the Microsoft SQL Server installation supports TLS 1.2 by installing the required hotfixes as described in KB3135244.

PRIVILEGE REQUIREMENTS

Perform all the below steps with an account that has these specific permissions:

1. Domain Administrator privileges in Active Directory, through a direct membership of the Domain Admins group.
2. Local Administrator privileges on the Windows Server installations you intend to use as AD FS servers. (This is a default permission that comes with Domain Admins privileges when the server is domain-joined)
3. SysAdmin (sa) privileges on the Microsoft SQL Server.

How to install the first AD FS Server with Microsoft SQL Server

Setting up an AD FS farm with Windows Internal Database and implementing the first AD FS server, consists of the following steps:

1. Creating a gMSA in Active Directory
2. Creating the database script
3. Creating the databases
4. Installing the AD FS Server role
5. Configuring AD FS

Creating a gMSA

We need a group Managed Service Account (gMSA) to be used as the AD FS service account across the AD FS farm. A gMSA is the safest way to host this account from Active Directory.

When using SQL Server opposed to using WID, however, the serviceaccount becomes really important, because it is not only used to run the AD FS service on AD FS servers in the AD FS Farm, but also to connect to the SQL Server backend: The service account specified when using the script from Export-AdfsDeploymentSQLScript, will be added as a login to the SQL Server installation and will be provided with privileges in the database.

Use the following lines of PowerShell on a system with the Active Directory Module for Windows PowerShell installed, while signed in with a user account that is a member of the Domain Admins group, supposing ADFSServer1 is the hostname of the first AD FS server in the farm:

Import-Module ActiveDirectory

New-ADServiceAccount ADFSgMSA -DNSHostName adfsgmsa.domain.tld -PrincipalsAllowedToRetrieveManagedPassword ADFSServer1

Creating the script

On the first proposed AD FS server, install the AD FS Server role with the following line of Windows PowerShell in an elevated window:

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

With the AD FS Server role installed, we can use the specific Windows PowerShell cmdlet to create the SQL scripts to create the databases on the SQL Server Back-end.

Use the following lines of Windows PowerShell to install the AD FS Server role in an elevated window:

New-Item “C:\ADFSSQLScript” -Type Directory

Export-AdfsDeploymentSQLScript -DestinationFolder “C:\ADFSSQLScript” –ServiceAccountName DOMAIN\ADFSgMSA$

This will create two files in the specified folder:

1. CreateDB.sql
2. Set-Permissions.sql

Creating the databases

Copy both files to the Microsoft SQL Server you intend to use as the back-end for the AD FS farm. Perform these steps:

1. Open the SQL Server Management Studio.
2. From the File menu, click the Open option. Then click File (Ctrl+O).
3. Browse to the CreateDB.sql script and open it.
4. From the Query menu, click the Execute (F5) option.
5. From the File menu, click the Open option. Then click File (Ctrl+O) again.
6. This time, browse to the SetPermissions.sql script and open it.
7. From the Query menu, click the Execute (F5) option.

The CreateDB.sql script creates two databases: the AdfsConfigurationV4 database that stores the AD FS Farm settings, and the AdfsArtifactStore database, that is used for AD FS Artifact Resolution.

Note:
Do not configure the database as part of a SQL Server Always-on Availability Group at this moment. Wait with this action, until you’ve successfully configured the first AD FS server, as the AD FS server wants a lock on the database at that time.

Configuring AD FS

On the proposed first AD FS server, perform the following lines of Windows PowerShell  in an elevated window to configure the AD FS Server role with a SQL Server named SQLServer, listening on the default port (TCP 1433):

$ADFSFarmName = “sts.domain.tld”

$Thumb = (Get-ChildItem -path cert:\LocalMachine\My | Where-Object {$_.Subject -match $ADFSFarmName}).Thumbprint

Install-ADFSFarm -CertificateThumbPrint $thumb -FederationServiceDisplayName “Organization Name” -FederationServiceName $ADFSFarmName -GroupServiceAccountIdentifier “DOMAIN\ADFSgMSA$” -OverwriteConfiguration -SQLConnectionString “Data Source=SQLSERVER;IntegratedSecurity=True”

Restart-Computer

In some environments, complex SQL connection strings might be returned by a SQL admin as answer to the AD FS SQL scripts. In these cases, it is wise to test the SQL connection string manually on the AD FS Servers, before implementation. Use the following lines of Windows PowerShell to this purpose:

$conn = New-Object System.Data.SqlClient.SqlConnection

$conn.ConnectionString = “Data Source=SQLServerName:Port;Integrated Security=True;”

# If no error occurs here, then connection was successful.

$conn.Open();

$conn.Close();

How to install additional AD FS Servers with Microsoft SQL Server

After setting up the AD FS farm by implementing the first AD FS server, adding additional AD FS servers to the farm is straightforward.

Make sure:

1. The same TLS certificate is available for the additional AD FS servers as used on the first AD FS server in the AD FS farm. Install the certificate in the personal certificate store for the local machine.
2. The proposed AD FS server is a domain-joined Windows Server installation and you are logged on with a domain account that is a member of the Domain Admins group.
3. The Microsoft SQL Server is available.

On the proposed AD FS server, install the AD FS Server role with the following line of Windows PowerShell in an elevated window:

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

Then, in the same PowerShell window, use the following lines of Windows PowerShell, replacing the values for $ADFSFarmName, -GroupServiceAccountIdentifier and -SQLConnectionString in the same way as you did for the first AD FS server:

$ADFSFarmName = “sts.domain.tld”

$Thumb = (Get-ChildItem -path cert:\LocalMachine\My | Where-Object {$_.Subject -match $ADFSFarmName}).Thumbprint

Add-AdfsFarmNode -CertificateThumbPrint $thumb -GroupServiceAccountIdentifier “DOMAIN\ADFSgMSA$” -SQLConnectionString “Data Source=SQLSERVER;IntegratedSecurity=True”

Restart-Computer

Checking for Token Replay Detection

Token replay detection is enabled by default when you deploy AD FS with SQL Server. However, after deploying AD FS with SQL Server, you may want to check if Token Replay Detection is enabled. Run the following line of Windows PowerShell in an elevated window to do so:

(Get-ADFSProperties).PreventTokenReplays

Concluding

SAML Artifact Resolution and Token Replay Detection should be available for hardened Hybrid Identity implementation. To gain access to these features, install Active Directory Federation Services (AD FS) with Microsoft SQL Server as its back-end.

Further reading

The Role of the AD FS Configuration Database
How does Artifact Resolution work?
AD FS Deployment Topology Considerations

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

For many organizations the Active Directory administrative tier model is a reality, or at least something they strive to embrace to increase their information security.

How do the Hybrid Identity systems fit into this model?

About the Active Directory administrative tier model

The Active Directory administrative tier model protects identity systems using a set of buffer zones between full control of the environment (Tier 0) and the high risk workstation assets that attackers frequently compromise. The administrative tier model is composed of three levels and only includes administrative accounts, not standard user accounts. The Tier model prevents escalation of privilege by restricting what administrators can control and where they can log on (because logging on to a computer grants control of those credentials and all assets managed by those credentials).

In the model, Active Directory Domain Controllers are placed in Tier 0.

As Tier 0 is the only tier intended to allow direct control of enterprise identities in the environment, Tier 0 includes accounts, groups, and other assets that have direct or indirect administrative control of the Active Directory forest, domains, or domain controllers, and all the assets in it.

Creating a Tier Strategy for Hybrid Identity components

Designing a tier strategy for Hybrid Identity components consists of four separate tasks:

1. Designing AD FS Server placement
2. Designing Web Application Proxy placement
3. Designing Azure AD Connect Server placement
4. Designing Azure AD Password Protection placement

Designing AD FS Server placement

AD FS Servers should be placed in Tier 0.
Communications between AD FS servers and between AD FS servers and Domain Controllers should be isolated in Tier 0, too. This traffic should not be permitted to cross less-secure networking zones.

In the RFCs, AD FS servers are referred to as Security Token Service (STS) servers. Functionally, they translate Kerberos tokens to claim tokens. Claim tokens are the equivalent of Kerberos tokens for their respective open protocols, like WS-Federation, SAML, OAuth2, Open ID Connect and SCIM.

The way an attacker may use claim tokens is to forge a claim token for an administrative user account and then reset its password using Azure AD Self-Service Password Reset.

When Microsoft SQL Server is used as the back-end for AD FS, the SQL server(s) hosting the database should also be placed in Tier 0. This might mean that the SQL Server (cluster) hosting the ADFSConfigurationVx and ADFSArtifactStore databases should be a separate SQL Server (cluster) than the one(s) hosting other non-Tier0 databases.

Designing Web Application Proxy placement

Web Application Proxies should be placed on the extranet.
They should not be joined to an Active Directory domain.

For their communications to AD FS servers, Web Application Proxies only use TCP443 (https), leveraging MS-ADFSPIP with short-lived certificates that are signed and distributed by the AD FS farm. However, this communications flow into Tier 0 cannot be intercepted or inspected, as it would break MS-ADFSPIP. Instead, intercept and inspect at the edge of the network.

Designing Azure AD Connect Server placement

Azure AD Connect servers should be placed in Tier 0.

Azure AD Connect uses an ADSync database per Azure AD Connect installation. This database contains information on all objects in scope for Azure AD Connect. It also contains information on its service accounts, used to write objects in Azure AD and to perform write-back operations into Active Directory.

An attacker can use the information in the ADSync database to create and alter objects in both Azure AD and Active Directory.

As Tier 0 dictates no Internet access, Azure AD Connect should be configured to use  proxy servers to transit from Tier 0 into Tier 1 and, ideally, from Tier 1 to the Internet.

Designing Azure AD Password Protection placement

Azure AD Password Protection can be used to prevent weak passwords. It offers a hybrid model, where password changes are intercepted using a password filter driver on each Domain Controller and a proxy component to update the password filter driver.

The Azure AD Password Protection agent component is installed on each Domain Controller and therefore resides in Tier 0.

The Azure AD Password Protection proxy component should be placed in Tier 1. This component was designed to do so, as Microsoft specifically signs and encrypts each update that goes to the Domain Controllers.

Designing a networking infrastructure for Hybrid Identity components

Designing a networking infrastructure for Hybrid Identity components consists of three separate tasks:

1. Designing AD FS Server networking
2. Designing Web Application Proxy networking
3. Designing Azure AD Connect Server networking

Designing AD FS Server networking

AD FS Servers should be placed as close as possible to Domain Controllers from a networking perspective. This prevents time-outs that may result in authentication failures for end-users.

AD FS servers should reside on the internal network. They can be place on the same network segment as the Domain Controllers, or on a network segment close to it, but separated by a (next-generation) firewall. As AD FS servers use SCHANNEL to communicate to Domain Controllers, this traffic can be inspected.

AD FS servers need to exchange federation metadata with federation partners, when the relying party trust (RPT) to these partners is configured through a Federation Metadata URL. AD FS servers also need to perform certificate revocation checks for the certificates of federation partners. The above traffic can be allowed through a proxy.

Designing Web Application Proxy networking

Web Application Proxies can be integrated with the networking infrastructure in two ways:

1. Web Application Proxies can be placed on a perimeter network.
2. Web Application Proxies can be domain-joined.

In the first scenario, the Web Application Proxy acts as an AD FS Proxy to publish the AD FS servers in the AD FS farm to the Internet. Publishing AD FS to the Internet is a requirement for federating with Azure AD and Office 365. In this scenario, the Web Application Proxy is capable of publishing application with pass-through authentication.

In the second scenario, the Web Application Proxy acts as both an AD FS Proxy and an App-publishing proxy. However, the web applications in this scenario need to be published requiring AD FS authentication to access the applications. To this purpose, the Web Application Proxy needs to be joined to the same Active Directory domain as the AD FS server(s).

The first scenario is the preferred scenario. In this scenario, Web Application Proxies only need TCP 443 access to the (load-balancer of the) internal AD FS Servers from the perimeter network. The AD FS Fam must be discoverable through HOSTS or DNS.

To the Internet, the (load-balancer of the) Web Applications Proxies need to be accessible on TCP 443. TCP 49443 may be required on Windows Server 2012 R2-based AD FS implementations and Windows Server 2016/2019-based AD FS implementation that do not have the certauth.adfsname.domain.tld DNS name registered in the AD FS Service Communications certificate.

Designing Azure AD Connect Server networking

Azure AD Connect servers should be placed as close as possible to Domain Controllers from a networking perspective. Azure AD Connect servers should reside on the internal network. They can be place on the same network segment as the Domain Controllers, or on a network segment close to it, but separated by a (next-generation) firewall. As Azure AD Connect servers use SCHANNEL to communicate to Domain Controllers, this traffic can be inspected.

The traffic from Azure AD Connect to its Azure-based endpoints cannot be inspected, as it uses mTLS. However, the traffic can be passed through a proxy server (multiple times).

In contrast to earlier versions of the Azure AD Connect Health agent, the current Azure AD Connect Health agent is capable of using a proxy server, if manual registration is performed through Windows PowerShell and the PowerShell session is configured to use a proxy.

Organizations may choose to domain-join or not to domain-join Azure AD Connect installations. non-Domain-joined Azure AD Connect installations cannot be used to manage AD FS. non-Domain-joined Azure AD Connect installations also require more administrative effort to maintain, activate, update, audit and monitor.

Concluding

The Active Directory administrative tier model, that dominates many of today’s Active Directory implementations, can be used to make the right design decisions for Hybrid Identity components and their networking, too.