Category Archives: Active Directory Federation Services

Manage the use of your AD FS MFA Adapter towards Azure AD with the new federatedIdpMfaBehavior setting

Last month, Microsoft introduced a new setting in Azure AD to protect against by-passing of Azure MFA for organizations who have federated between Azure AD and their on-premises environment. In most cases, organizations who have federated one or more DNS domains with Microsoft 365 (and thus Azure AD) use AD FS to host the ‘Microsoft […]


An AD FS Vulnerability may lead to Elevation of Privilege on recent Windows Server versions

This week, on its Patch Tuesday for July 2022, Microsoft released a patch that addresses a vulnerability (CVE-2022-30215) in Active Directory Federation Services (AD FS).   About the vulnerability An Elevation of Privilege (EoP) vulnerability exists in Active Directory Federation Services (AD FS). The vulnerability can be exploited over the network and an attacker who successfully exploited […]


Wormable Critical HTTP Protocol Stack Remote Code Execution Vulnerability affects Windows Server 2019- and 2022-based AD FS Servers (CVE-2022-21907)

During its Patch Tuesday on January 11th, 2022, Microsoft addressed a Remote Code Execution (RCE) security vulnerabilities that affects Windows Server 2019- and Windows Server 2022-based Active Directory Federation Services (AD FS) servers. About the vulnerability CVE-2022-21907 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. […]


Three vulnerabilities in AD FS were addressed at this month's Patch Tuesday

When looking at the October 2021 Patch Tuesday today, I noticed three updates that specifically address vulnerabilities in Active Directory Federation Services (AD FS). About the vulnerabilities Three vulnerabilities were addressed today: CVE-20221-40456 AD FS Security Feature Bypass Vulnerability CVE-2021-40456 is a vulnerability that could allow an attacker to bypass BannedIPList entries for WS-Trust workflows […]


How to check if Azure AD has processed the hybrid authentication method change

Many organizations with Azure AD tenant are currently transitioning from federation to Pass-through Authentication (PTA) and/or authentication based on Password Hash Synchronization (PHS). The Staged Roll-out feature is a straight-forward way to perform this transition. Microsoft has described how to migrate from federation to cloud authentication in Azure Active Directory using this feature. Note: In […]


HOWTO: Enable Seamless Single Sign-on when AD FS is Configured as Sign-in Method

Microsoft has introduced the Staged Rollout functionality to convert the sign-in method for people in your organization from federated authentication to managed authentication. However, there is one slight issue with single sign-on. In this blogpost, I’ll address the issue of having both Seamless Single Sign-on and Federation enabled in Azure AD Connect. About Staged Rollout […]


Adding an AD FS Server to an existing Farm using Azure AD Connect

Setting up an AD FS Farm with Azure AD Connect is easy when you use Azure AD Connect. Its configuration wizard is able to configure all the required AD FS settings and Web Application Proxy settings on two domain-joined servers you point the wizard to. This begs the question: How do you extend the AD […]


Setting up Hybrid Identity with AD FS through Azure AD Connect

When Active Directory on-premises and Azure AD work together, it’s called Hybrid Identity. Hybrid Identity is relatively easy to setup, when you use the Express Settings for Azure AD Connect. However, setting up Hybrid Identity with Active Directory Federation Services (AD FS) is not that hard either. I’ll show you how to achieve this goal […]


On-premises Identity-related updates and fixes for January 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the Identity-related updates and fixes we saw for January 2021:   Windows Server 2016 We observed the following update for Windows Server 2016: KB4598243 January 12, 2021 […]


Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS

I feel we are at a crossroads. Five years ago, I made the case for token-signing and token-decrypting certificates in Active Directory Federation Services (AD FS) with a validity of 5-year. Today, I’m making the case for 30-day Token-signing and Token-decrypting certificates, based on my understanding of the UNC2452 attack campaign (also known as ‘SolariGate’). […]