Pages

Monday, September 28, 2020

Configuring Zoom with ADFS as an iDP

I was recently asked to configure Zoom with ADFS and found certain parts of the following documentation provided by Zoom:

Configuring Zoom With ADFS
https://support.zoom.us/hc/en-us/articles/202374287-Configuring-Zoom-With-ADFS

… a bit confusing so I would like to write this post to provide a clear example of the settings required in the portal.

To configure Zoom to use ADFS as an iDP, you’ll need to log into the administration console, navigate to Admin > Advanced > Single Sign-On and click on Enable Single Sign-On:

image

Once in the portal, edit the SAML settings as shown in the screenshot below:

image

The two configuration settings I felt wasn’t clear in the instructions were:

  • Identity provider certificate
  • Issuer (IDP Entity ID)

What confused me with the Identity provider certificate was whether we should copy and paste the tags in or not and the answer is no:

image

As for the Issuer (IDP Entity ID), ensure that you use the ADFS URL:

image

The instructions for configuring the ADFS servers were fairly straight forward so I won’t include them in this post. If you experience any issues with logging via the ADFS portal, you can turn on logging in the Zoom administrative portal by enabling the Save SAML response logs on user sign-in:

image

With the above enabled, a new tab will be available to review sign-in attempts:

image

Configuring Zoom with ADFS throws the error: "An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint."

Problem

I was recently asked to configure Zoom with ADFS as per the following documentation:

Configuring Zoom With ADFS
https://support.zoom.us/hc/en-us/articles/202374287-Configuring-Zoom-With-ADFS

… and was not able to complete the process because the following error was displayed when importing the federation metadata:

An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.

image

Searching on the internet earlier this year did not return any posts that helped resolve this issue and opening up a ticket with Zoom had us wait months before we received a reply (escalated by the client’s account manager). To give Zoom some credit, the support engineer who reached out to us was extremely quick with response and very helpful. I am unsure if searching for this error will yield the KB he forwarded to us so this post serves to help anyone who may run into the same problem.

Solution

One of the possible reasons why the import of the federation metadata would fail on the ADFS server is if when TLS 1.2 is not enabled on ADFS. The server in this example was a fresh install of Windows Server 2019 and navigating to the following registry showed that TLS 1.2 was not explicitly enabled:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

image

To correct this issue, simply following the steps provided in this Zoom article:

How to enable TLS 1.2 on an ADFS Server (Windows Server 2012 R2)
https://support.zoom.us/hc/en-us/articles/360033739531-How-to-enable-TLS-1-2-on-an-ADFS-Server-Windows-Server-2012-R2-

The following PowerShell cmdlets create the keys required to enable TLS 1.2:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

image

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

image

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

image

The following PowerShell cmdlet enable’s Strong Authentication for .Net Framework:

image

The following PowerShell cmdlets disables SSL 3.0:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

image

Here is the list of cmdlets demonstrated above:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

With TLS 1.2 enabled, strong encryption enabled, and SSL 3.0 enabled, the import of the federation metadata should now succeed.

A Microsoft Windows Network Policy Server (RADIUS) logs the System Error: "An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid."

Problem

You notice that wireless clients authenticating with a wireless controller that uses a Microsoft Windows Network Policy server fails and the following error is logged:

Log Name: System
Source: NPS
Event ID: 18
Level: Error

An Access-Request message was received from RADIUS client 172.23.192.16 with a Message-Authenticator attribute that is not valid.

image

image

Solution

This error is typically caused by a shared secret mismatch between what is configured for the RADIUS client and the NPS server. Correcting the mismatch will remediate the issue and the following events will be logged on the NPS server:

Log Name: System
Source: NPS
Event ID: 4400
Level: Information

A LDAP connection with domain controller DC02.contoso.com for domain CONTOSO is established.

image

image

Thursday, September 17, 2020

Redirecting on-premise Exchange Server 2019 OWA and ECP authentication to AD FS

I’ve recently worked with a client who had no plans to move away from their on-premise Exchange Server 2019 due to regulations they had to abide to and was interested in leveraging their on-premise AD FS (Active Directory Federation Server) for clients to use claims-based authentication to connect to Outlook on the Web (OWA) and Exchange admin center (EAC). Those who have attempted to integrated 2FA solutions such as Duo, SecurEnvoy, or RSA know how cumbersome the process for configuring OWA or ECP can be and the additional amount of administrative overhead it adds to tasks such as patching the Exchange servers. Using AD FS effectively allows the client to require the 2FA provided by AD FS without affecting the Exchange servers. This post serves to demonstrate the process of configuring AD FS claims-based authentication with Outlook on the web and Exchange admin center.

Server Requirements

Configuring AD FS claims-based authentication for Outlook on the web and the EAC in Exchange Server involves the following additional servers:

  • A Windows Server 2012 or later domain controller (Active Directory Domain Services server role).
  • A Windows Server 2012 or later AD FS server (Active Directory Federation Services server role). Windows Server 2012 uses AD FS 2.1, and Windows Server 2012 R2 uses AD FS 3.0.
  • You need to be a member of the Domain Admins, Enterprise Admins, or local Administrators security group to install AD FS, and to create the required relying party trusts and claim rules on the AD FS server.
  • Optionally, a Windows Server 2012 R2 or later Web Application Proxy server (Remote Access server role, Web Application Proxy role service).
    • Web Application Proxy is a reverse proxy server for web applications that are inside the corporate network. Web Application Proxy allows users on many devices to access published web applications from outside the corporate network.
    • Although Web Application Proxy is typically recommended when AD FS is accessible to external clients, offline access in Outlook on the web isn't supported when using AD FS authentication through Web Application Proxy.
    • You need to deploy and configure the AD FS server before you configure the Web Application Proxy server, and you can't install Web Application Proxy on the same server where AD FS is installed.

This post will not include instructions for deploying an AD FS farm as I have already written posts in the past and they can found here:

Deploying a redundant Active Directory Federation Services (ADFS) farm on Windows Server 2019
http://terenceluk.blogspot.com/2020/04/deploying-redundant-active-directory.html

Deploying a redundant Active Directory Federation Services (ADFS) Web Application Proxy servers on Windows Server 2019
http://terenceluk.blogspot.com/2020/04/deploying-redundant-active-directory_21.html

Before I begin with the steps, note that the official Microsoft deployment documentation can be found here:

Use AD FS claims-based authentication with Outlook on the web
https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019

Step #1 - Export ADFS Signing Certificate and Import to Exchange Servers

The AD FS server uses a token-signing certificate for encrypted communication and authentication between the AD FS server, Active Directory domain controllers, and Exchange servers. This self-signed certificate is automatically copied over to the Web Application Proxy server during the installation, but is required to be manually imported into the Trusted Root Certificate store on all of the Exchange servers in the organization.

To export the certificate, log onto the AD FS server, launch the AD FS Management Console, navigate to AD FS > Service > Certificate:

image

Select the certificate listed under Token-signing, right click and select on View Certificate…:

image

The general properties of the certificate will be displayed:

image

Proceed and navigate to the Details tab and click on the Copy to File… button:

image

Go through the Certificate Export Wizard to export the certificate:

image

Select DER encoded X.509 (.CER) format and proceed with the export:

imageimageimageimageimage

Proceed to import the certificate into the Trusted Root Certificate store on all of the Exchange servers in the organization

Also note that this self-signed token-signing certificate is only valid for one year and while the AD FS server will automatically renew and replace its own self-signed certificates before they expire, you will need to re-export and import the certificate back onto the Exchange servers. If the certificate expiration period is deemed to be too short for the organization then the period can be extended by using the following PowerShell cmdlet on the AD FS server:

Set-AdfsProperties -CertificateDuration <Days> (the default value is 365)

Step #2 – Create a relying party trust and custom claim rules in AD FS for OWA (Outlook on the web)

With the AD FS prerequisites configured, proceed to create the relying party trust for OWA (Outlook on the web) on the AD FS server by launching the AD FS Management console:

image

Navigate to AD FS > Relying Party Trusts and click on Add Relying Party Trusts…:

image

Select Claims aware and click on Start:

image

Change the default Import data about the relying party published online or on a local network to Enter data about the relying party manually:

imageimage

Enter the Display name and Notes for the Outlook on the web relying party:

Outlook on the web

This is a trust for https://mail.contoso.com/owa

image

Leave the Configure Certificate window as unconfigured and click on Next:

image

Check the Enable support for the WS-Federation Passive protocol checkbox:

image

Enter in the URL of the Outlook on the web address (e.g. https://mail.contoso.com/owa/):

image

Add the URL of the Outlook on the web address for the Relying party trust identifier:

image

The AD FS server in this environment already had Duo MFA configured so this example will select Permit everyone and require MFA:

image

On the Ready to Add Trust page, review the settings, and then click Next to save the relying party trust information:

image

Leave the Configure claims issuance policy for this application checked and click Close:

image

Step #3 – Create custom claim rules in AD FS for Outlook on the web

The following two claim rules will be created for the Outlook on the web relying party trust:

  • Active Directory user SID
  • Active Directory UPN

In the Edit Claim Issuance Policy for Outlook on the web window, click on Add Rule…:

image

Change the Claim rule template to Send Claims Using a Custom Rule and then click Next:

image

Enter the following configuration for the parameters and ten click Finish.

Claim rule name:

ActiveDirectoryUserSID

Custom rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

image

Click Add Rule… again to create a new rule:

image

Change the Claim rule template to Send Claims Using a Custom Rule and then click Next:

image

Enter the following configuration for the parameters and ten click Finish.

Claim rule name:

ActiveDirectoryUPN

Custom rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

image

Click OK to close the window after the following 2 rules are created:

image

You should see the new Outlook on the web Relying Party Trust created:

image

Step #4 – Configure AD FS Web Application Proxy Server to publish Outlook on the Web

If users are going to access OWA from the internet then it will be necessary to publish the newly created Outlook on the web relying party trust on the AD FS Web Application Proxy. Begin by launching the Remote Access Management Console on the AD FS WAP server and navigating to the Published Web Applications context then click on Publish:

image

Click Next:

image

Select Active Directory Federation Services (AD FS) and click Next:

image

Select Web and MSOFBA for the type of preauthentication to perform for this application and click Next:

image

The configured relying party trusts will be listed, select the Outlook on the web relying party trust that we created and click Next:

image

Fill in a name for the web application (e.g. Outlook on the web) then the URLs for OWA access, the certificate used for securing traffic and then click Next:

image

A display of the PowerShell cmdlet used to create the we application will be displayed. Proceed by clicking on Publish:

image

The wizard will display the results of publishing the application when completed:

image

The newly published Outlook on the web application should now be displayed:

image

Step #5 – Create a relying party trust and custom claim rules in AD FS for EAC (Exchange admin center)

The steps for creating a relying party trust and custom claim rules in AD FS for EAC is exactly the same as OWA and the only change is the URL (e.g. https://mail.contoso.com/ecp instead of https://mail.contoso.com/owa). Repeat the same steps as above for the EAC.

Step #6 – Configure AD FS Web Application Proxy Server to publish Exchange admin center

The steps to configure the AD FS Web Application Proxy Server to publish Exchange admin center is exactly the same as the Outlook on the web and the only change is the URL. Repeat the steps above for the EAC.

image

Step 6: Configure the Exchange organization to use AD FS authentication

There is no way to configure the Exchange organization to use AD FS authentication within the GUI so begin by launching the Exchange Management Shell from one of the Exchange servers.

The cmdlet to configure the Exchange organization to use AD FS for authentication is as follows:

Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint "<Thumbprint>"

Note that the following are the parameters for the cmdlet above:

  • AD FS URL (e.g. https://adfs.contoso.com/adfs/ls/)
  • Outlook on the web URL (https://mail.contoso.com/owa/)
  • EAC URL (e.g. https://mail.contoso.com/ecp/)
  • AD FS token-signing certificate thumbprint which is the ADFS Signing

The first 3 URLs should be self-explanatory, while the last parameter is the thumbprint value of the imported AD FS token signing certificate performed in Step #1. Run the following cmdlet on the Exchange server to find the thumbprint value of the imported AD FS token signing certificate:

Set-Location Cert:\LocalMachine\Root; Get-ChildItem | Sort-Object Subject

image

You can also confirm this thumbprint value on the AD FS server in an elevated Windows PowerShell window by running the command Import-Module ADFS, and then running the command Get-AdfsCertificate -CertificateType Token-Signing or just running Get-AdfsCertificate -CertificateType Token-Signing cmdlet the on the AD FS server:

image

It would be a good idea to execute the Set-OrganizationConfig before the Set-OrganizationConfig to verify that there hasn’t been any ADFS configuration configured for the organization as shown in the following screenshot:

Get-OrganizationConfig | FL *adfs*

image

Having verified the Exchange organization does not have any ADFS configuration, execute the cmdlet with the environment’s settings:

Set-OrganizationConfig -AdfsIssuer https://adfs.contoso.com/adfs/ls/ -AdfsAudienceUris "https://mail.contoso.com/owa/","https://mail.contoso.com/ecp/" -AdfsSignCertificateThumbprint " 75FC78640C9C7F1BDB2B0ADD7E7E2FB8A9159160"

image

Execute Get-OrganizationConfig | FL *adfs* to verify that the configuration has been applied:

image

Step #7 – Configure AD FS authentication on the Outlook on the web and EAC virtual directories

The last step required so that Outlook on the web and EAC redirects authentication to ADFS is to configure AD FS authentication as the only available authentication method and disabling all other authentication methods. The following are additional requirements and recommendations:

  • The EAC virtual directory needs to be configured before the Outlook on the web virtual directory.
  • AD FS authentication can be configured only on Internet-facing Exchange servers that clients use to connect to Outlook on the web and the EAC.
  • By default, only Basic and Forms authentication are enabled for the Outlook on the web and EAC virtual directories.

The following is the cmdlet to configure the EAC or Outlook on the web virtual directory to only accept AD FS authentication:

Set-EcpVirtualDirectory -Identity <VirtualDirectoryIdentity> -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

**Note that the documentation indicates we should include the following switch:

-OAuthAuthentication $false

However, I’ve noticed that Exchange 2019 does not accept it:

[PS] C:\>Set-EcpVirtualDirectory -Identity "OSMIUM\ecp (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false

A parameter cannot be found that matches parameter name 'OAuthAuthentication'.

+ CategoryInfo : InvalidArgument: (:) [Set-EcpVirtualDirectory], ParameterBindingException

+ FullyQualifiedErrorId : NamedParameterNotFound,Set-EcpVirtualDirectory

+ PSComputerName : osmium.bma.local

[PS] C:\>

image

I’ve been able to successfully configure claims-based authentication without settings this parameter so it should be safe to omit.

It would be a good idea to review what the current configuration is for the two directories with the following Get-EcpVirtualDirectory and Get-OwaVirtualDirectory cmdlet prior to performing the changes:

Get-EcpVirtualDirectory -Identity "svr-mail-01\ecp (Default Web Site)" | FL AdfsAuthentication,BasicAuthentication,DigestAuthentication,FormsAuthentication,OAuthAuthentication,WindowsAuthentication

Get-OwaVirtualDirectory -Identity "svr-mail-01\owa (Default Web Site)" | FL AdfsAuthentication,BasicAuthentication,DigestAuthentication,FormsAuthentication,OAuthAuthentication,WindowsAuthentication

image

Get-EcpVirtualDirectory -Identity "svr-mail-01\ecp (Default Web Site)" | FL *auth*

Get-OwaVirtualDirectory -Identity "svr-mail-01\owa (Default Web Site)" | FL *auth*

image

Repeat the same for other Exchange servers if there are more than one in the environment.

Once the current settings have been reviewed, execute the cmdlet to configure the EAC:

Set-EcpVirtualDirectory -Identity "OSMIUM\ecp (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

image

Execute the cmdlet to configure the OWA:

Set-OwaVirtualDirectory -Identity "OSMIUM\owa (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false

Once the directories are set, use the get cmdlets to review the settings:

image

If there are more than 1 server in the environment, use the following cmdlet to set all the servers:

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false

Step #8 – Restart IIS on the Exchange servers

Complete the changes by restarting IIS on the Exchange servers by executing the following cmdlets:

net stop was /y

An output similar to the following will be displayed:

[PS] C:\>net stop was /y

The following services are dependent on the Windows Process Activation Service service.

Stopping the Windows Process Activation Service service will also stop these services.

World Wide Web Publishing Service

Net.Tcp Listener Adapter

Net.Pipe Listener Adapter

Net.Msmq Listener Adapter

The World Wide Web Publishing Service service is stopping.....................................

The World Wide Web Publishing Service service was stopped successfully.

The Net.Tcp Listener Adapter service is stopping.

The Net.Tcp Listener Adapter service was stopped successfully.

The Net.Pipe Listener Adapter service is stopping.

The Net.Pipe Listener Adapter service was stopped successfully.

The Net.Msmq Listener Adapter service is stopping.

The Net.Msmq Listener Adapter service was stopped successfully.

The Windows Process Activation Service service is stopping.

The Windows Process Activation Service service was stopped successfully.

[PS] C:\>

image

Lastly, execute the following for the World Wide Web Publishing Service:

net start w3svc

image

Authentication for both EAC and OWA should now be directed to the AD FS portal.