Tag Archives: ADFS

ADFS and Office Modern Authentication, What Could Possibly Go Wrong?

We’ve recently thrown the load balancer switch to send users to our new ADFS 4.0 farm rather than the old ADFS 2.x farm. My first baby steps in this process were documented in a prior post.1 It turns out that was just the beginning of this long, tortured journey. Things got very complicated when we started getting errors from users of Outlook hitting our Office 365 Exchange Online. In my prior post I explain how SAML Tracer can be helpful. However, you can’t use a browser-based HTTP debugger/tracer with a thick client like Outlook. In these cases Fiddler is your friend.

Many of the Office 2016 apps (and some of the Office 2013 apps with the right updates and registry settings) can use what Microsoft likes to call Modern Authentication. This is nothing but a lame pseudonym for OpenID Connect. OIDC, as it is abbreviated, uses a web-API friendly exchange to authenticate users. This is in contrast with the older and well established SAML and WS-Trust authentication protocols which are SOAP-based. We don’t (yet) use MFA with Office 365 so the settings I discussed in the prior article don’t apply to it.

Older versions of the Office thick clients use basic authentication with Office 365. The app puts up a credential dialog and then sends the user’s credentials to the O365 service where the actual authentication against Azure AD takes place. The user credentials are protected by TLS. This means that the user has to enter their credentials each time they start the app unless they choose to have the credentials stored locally. The biggest downside to this is that those locally stored credentials can easily be harvested by malware.

How does OIDC change the authentication flow? Newer Office apps open a window that hosts a browser which the app directs to the address of the OIDC provider (OP) configured during auto-discovery. The OP puts up a web form to collect the user’s credentials and, after validating them, returns two JSON web tokens. One is an app authentication token, the other is a refresh token which can be used by the app to request a new auth token when the current one expires. Thus the user’s credentials are never stored locally. The app and refresh tokens could be replayed but they are bound to the app so their loss would be far less damaging.

The Office 365 OP is the familiar https://login.windows.net and/or login.microsoftonline.com which both sit in front of Azure Active Directory (AAD). Things get more complicated when ADFS is in the mix and it really is a bit of a mess when your ADFS is using a SAML Claims Trust Provider (CTP). The UW, like many higher-ed institutions, uses the community developed Shibboleth SAML IdP and our ADFS is configured with it as the CTP. This means we get an authentication flow that transitions between 3 different protocols. The initial step from the Office app uses OIDC. AAD then calls ADFS using WS-Trust. ADFS then translates the WS-Trust call into a SAML protocol call to Shibboleth and the whole process unwinds as the security tokens are returned.2 As you can see there are lots of places where things can go haywire.

Our first sign of something amiss was users reporting this error when they attempted to sign on after the switch to ADFS 4.0.

ADFS error

Error shown by ADFS

Ah-ha, there is an Activity ID. I can look that up in the ADFS event logs to get more detail. Except that the logs didn’t say anything other than there had been an authentication failure. Not very helpful. Here is where breaking out Fiddler becomes necessary. As an aside I recommend running Fiddler from an otherwise unused machine because it captures all network traffic. Your typical workstation is going to be way too noisy which will clutter the network capture with lots of extraneous traffic. I use a virtual machine for this purpose so that nothing is running other than the app (usually Outlook) and Fiddler.

I’m not going to spend time describing how to use Fiddler. There are lots of web articles on that topic.3 What I discovered is that Azure AD (AAD) was sending a WS-Trust request to ADFS with a URL query parameter of:4

wauth=http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

ADFS then sends this same URI as the SAML AuthnContextClassRef to Shibboleth. This parameter value is not a part of the SAML spec so Shib returned an error and ADFS then displayed its error.

If you recall from my prior post there is an ADFS CTP property called CustomMfaUri that gets applied in the MFA case. Unfortunately Microsoft did not create a corresponding non-MFA property. I’ve asked them to consider creating a CustomDefaultUri property. We’ll see if that gains any traction.

At this point I called Microsoft Premier Support to find out what, if anything, could be done to fix this. The support engineer took a look at the Fiddler trace and pointed out something I hadn’t noticed. Outlook 2016 was adding a “prompt=login” parameter to its OIDC login request. AAD translates this into the WS-Trust wauth parameter. He told me that this AAD behavior is configurable and that I should follow example 3 of this article https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-prompt-login. That indeed fixed the issue. Wauth is an optional WS-Trust parameter. Password authentication is the default in the absence of this parameter. The SAML AuthnRequest created by ADFS when there is no wauth has no AuthnContextClassRef so Shib also defaults to password authentication.

Our celebration of success was short-lived as other users continued to have similar login problems. What we discovered is that different versions of Office and Outlook 2016 have different “modern auth” behavior. The click-to-run version downloaded from the Office 365 site sends the prompt=login parameter. However, the MSI volume licensed version we distribute to campus is an older build of Office 2016 and it instead sends a different OIDC parameter: “amr_values=pwd”. There is no AAD property to configure the behavior with this parameter, it results in the above wauth being sent to ADFS. As far as we can tell there is no update that can be applied to the MSI version to have it change its behavior to send the “prompt=login” parameter. At this point the MS support engineer had no suggestions.

I’m thinking we have 3 options. The first is to convince everyone with the MSI version to uninstall it and install the c2r version. This is a non-starter because campus IT has no real authority; there is no way to force people to upgrade. We still have thousands of people running Windows 7 and a few even with XP! The next option to consider was writing an F5 load balancer iRule to do a URL rewrite to remove the wauth parameter. That solution would not work in the long run because we want to use AAD conditional access to do a structured roll-out of MFA. Removing the wauth would negate the requirement to use MFA. We could detect this specific wauth and only remove it but now the iRule is becoming fairly complex. So the third option was to ask the Shibboleth team to accept the Microsoft URI as a legitimate proxy for the PasswordProtectedTransport URI which is defined by the SAML spec.3

The Shib team made the change and now things are working properly. To quote Jim the lead engineer “We frequently have to make accommodations for vendor apps that are not spec compliant.” A better solution would be for Microsoft to more fully support SAML-spec IdPs as CTPs. Another solution would be to do password hash sync from AD to AAD so that AAD could handle the login without ADFS or Shibboleth in the mix. However we are concerned about introducing a second login portal to our campus users. We have enough of a problem with phishing and this would only complicate matters. We’ll see which way we end up going.

Endnotes

ADFS 4.0, Shibboleth and MFA

The University of Washington uses the InCommon Shibboleth SAML identity provider for web SSO. We run ADFS as a proxy between Office 365/Azure AD and our on-premise identity systems. Our ADFS is configured to use our Shib IdP as an additional “Claims Trust Provider” (CTP). We do this for two reasons: we want all web SSO to have the same login experience and we provide multi-factor authentication through our Shib service. The problem I was working to solve was how to configure ADFS 4.0 to require MFA through our Shib instance.

We initially set up what is known as ADFS 2.0. This was a downloadable upgrade to the original version of ADFS that shipped with Windows Server 2008. ADFS normally would show a “Home Realm Discovery” (HRD) page if there is more than one CTP (with AD being the default CTP). We wanted our ADFS relying parties (RPs) to go straight to Shibboleth, so we modified the HRD page code to effect this. We also used this modified code to require MFA for certain RPs. When ADFS 3.0 was released with WS 2012 R2 it threw a monkey wrench into this design. ADFS 3.0 no longer ran as an IIS web site such that the HRD page code was no longer accessible to be modified. We discovered that you can configure RPs to go to a specific CTP, but we were stymied as to how to require MFA. In the interim ADFS 4.0 was released with WS 2016 and yet the solution to the MFA problem remained elusive. I finally opened a support request with Microsoft to seek an answer to this problem. Here is what I’ve learned.

It turns out this is a two step solution. The first step is configuring your CTP for MFA. The second step is to configure RPs to require MFA.

Almost all advanced ADFS settings are accessed via PowerShell. There are new parameters to the familiar PS commandlets that are of interest. Here are those new commands and how they would be applied to solve our conundrum.

Configuring the Shibboleth CTP

You need to tell ADFS how to invoke MFA through the CTP. Our Shibboleth IdP will require MFA if it receives an AuthNRequest containing an AuthnContextClassRef with the value of

Note that this is the value that our Shibboleth is configured to look for. Your Shib installation may use a different URI to signal MFA.

Hint: use Firefox and its SAML Tracer plugin to trace a login session. SAML Tracer helpfully decodes the SAML token so you can examine it along with the rest of the HTTP exchange.

A WS-Federation authentication request can effect this request for MFA by setting the wauth parameter to the above value. ADFS translates this WS-Fed request into a SAMLP AuthnRequest with the required AuthnContextClassRef value of this URI. If you have a WS-Fed RP that can’t be configured to send the wauth parameter, or if you need to enforce MFA at the IdP, then this won’t work. Instead you configure ADFS so it knows how to make this request using the following PowerShell.

First, to get the current CTP state you can call

The parameter of interest is CustomMFAUri. Use the following code to set it.

Now ADFS knows how to ask for MFA from our SAML IdP.

Configuring Your Relying Parties

We want to send all of our RPs to our Shib CTP. Use the following PowerShell to do this.

You could script this by sending the output of Get-AdfsRelyingPartyTrust to the above command. Note also that since we set a display name on the CTP we had to use that rather than the URN identifier.

The next step is configuring those RPs of which you require MFA. That is done with this command

Now an incoming authentication request to the RP will result in our Shib prompting for the second factor after the entry of the correct user name and password.

I did a search on the RequestMFAFromClaimsProviders parameter after being told about its existence and didn’t find much. The MS documentation is useless and gives no examples of the use of this and the related parameters. I did find one non-MS blog post here, but it was rather general in nature. I hope these detailed instructions help those who want to use Shibboleth as their institutional identity provider via ADFS.