Azure Multi-Factor Authentication – Part 7: Securing AD FS

• Author
• Recent Posts

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

Latest posts by Sander Berkouwer (see all)

• Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
• Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
• Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015

Why AD FS?

I’m choosing Active Directory Federation Services (AD FS) because this Microsoft technology supports the identity protocols of the future. These “Identity 2.0” protocols, including SAML, OAuth, OpenID Connect, and SCIP, were purpose-built for the Internet and don’t rely on safe connections or obscure TCP/UDP ports to do their work, like NTLM and Kerberos do. Additionally, I’m using AD FS in Windows Server 2012 R2 for this implementation scenario because this version of AD FS supports the Authentication Extensibility Framework (AEF) to plug into the authentication process with the Azure Multi-Factor Authentication functionality.

This version also supports the notion of authentication policies based on network location (intranet vs. extranet) and whether the device used is WorkPlace-joined by the person using it. Note: This latter functionality requires Windows 8.1 and/or iOS-based devices. You can also use Windows 7 in some scenarios. Click here to read more about these requirements. With the on-premises Multi-Factor Authentication Server installation successfully deployed and connected to the Azure Multi-Factor Authentication service, these systems plug into an existing Windows Server 2012 R2 AD FS implementation with the following characteristics:

• When you have multiple AD FS Servers, the Multi-Factor Authentication AD FS Adapter needs to be installed on at least two servers running AD FS within the networking environment. The AD FS Adapter does not need to be installed on Web Application Proxies or AD FS Proxies.
• Both a 32-bit and a 64-bit version of the Multi-Factor Authentication AD FS Adapter are available. The appropriate version needs to be installed for the architecture of the Windows Server running the AD FS role.
• Servers running AD FS need to be able to communicate over the network with the on-premises Multi-Factor Authentication Servers. Plan for proper name resolution to support this. Because we’ll be configuring the Multi-Factor Authentication AD FS Adapter to communicate with the Web Service SDK, communication using TCP port 443 between the AD FS Server(s) and the Multi-Factor Authentication Server(s) will be sufficient.

Installing the Multi-Factor Authentication AD FS Adapter

Copying the Multi-Factor Authentication AD FS Adapter files

Because we’re installing the Multi-Factor Authentication AD FS Adapter on systems that are not Multi-Factor Authentication Servers themselves, we’ll need to copy some files from our Multi-Factor Authentication Server. A good way to do this is to use portable media (ideal when your servers are not running virtual) and, when your servers have Internet connections (in most cases, they will), using a web portal. Particularly useful web portals for this purpose are SharePoint (Online) and Outlook Web App. Off course, OneDrive will also suffice. Note: When using Outlook Web App, be sure to zip up the files so Outlook Web App doesn’t block them. Copy the following files from the Azure Multi-Factor Authentication Server installation folder (C:\Program Files\Multi-Factor Authentication Server\ by default) on the Multi-Factor Authentication Server to a suitable folder accessible by AD FS Servers:

• msi
• Register-MultiFactorAuthenticationAdfsAdapter.ps1
• Unregister-MultiFactorAuthenticationAdfsAdapter.ps1
• config

I’m choosing C:\Install on the AD FS Servers themselves.

Installing .NET Framework 2.0

The Multi-Factor Authentication AD FS Adapter needs .NET Framework 2.0. Open a Windows PowerShell with elevated rights and perform this PowerShell command: Install-WindowsFeature NET-Framework-Core Note: This installation may take some time because the installation files for the .NET Framework 2.0 features are downloaded from Windows Update. You’ll see it seemingly stalling at 68% progress while it downloads.

Installing the Multi-Factor Authentication AD FS Adapter

To install the Multi-Factor Authentication AD FS Adapter, follow these steps:

1. Log on to the server running AD FS with an account that has sufficient permissions in Active Directory to manage security groups in Active Directory Domain Services (AD DS).
2. Navigate to the folder where you copied the files.
   
3. Click the msi file to select it.
4. Right-click the file and select Install from the context menu.
   
5. On the Confirm Installation window, click Next >.
   
6. On the Installation Complete window, click Close.

Configuring the Multi-Factor Authentication AD FS Adapter

Now, let’s connect the Multi-Factor Authentication AD FS Adapter to the Web Service SDK running on the Multi-Factor Authentication Server. Perform these actions:

1. While still logged on to the server running AD FS, navigate to the folder where you copied the files.
2. Click the config file to select it.
3. Right-click the file and select Open with from the context menu.
4. Follow the Try an app on this PC
5. Select Notepad from the list of available programs.
   
6. Make these four changes in the MultiFactorAuthenticationAdfsAdapter.config file:
   1. Configure the AD FS Adapter to use the Web Service SDK by changing the line that reads <UseWebServiceSdk>false</UseWebServiceSdk> to <UseWebServiceSdk>true</UseWebServiceSdk>.
   2. Between <WebServiceSdkUrl> and </WebServiceSdkUrl>, enter the address for the Web Service SDK on (one of) your Multi-Factor Authentication Server installation(s). By default, this address is https://<FQDN>/MultiFactorAuthWebServiceSDK/PfWsSdk.asmx.
   3. Between <WebServiceSdkUsername> and </WebServiceSdkUsername>, enter the user account details for the service account to access the Multi-Factor Authentication Web Service SDK. Because we’ve created a service account specifically for all these access scenarios in Part 4, use that account. Make sure to specify it in the DOMAIN\Username format.
   4. Between <WebServiceSdkPassword> and </WebServiceSdkPassword>, enter the password for the service account to access the Multi-Factor Authentication Web Service SDK.
7. From the File menu, select Save.
8. From the File menu, select Exit.
9. Click the Register-MultiFactorAuthenticationAdfsAdapter.ps1 file to select it.
10. Right-click the file and select Edit from the context menu to edit the file in the Windows PowerShell Integrated Scripting Environment (ISE).
    
11. In the main pane on the left, edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script. Add -ConfigurationFilePath to the end of second line, starting with the Register-AdfsAuthenticationProvider command, followed by the full path to the MultiFactorAuthenticationAdfsAdapter.config file. The contextual highlighting and selection features of the ISE will make this very easy.
    
12. From the File menu, click Save.
13. Register the AD FS Adapter by clicking the green play button in the top menu bar of Windows PowerShell ISE or press F5.
14. You will receive a message stating that Warning: PS0114: The authentication provider was successfully registered with the policy store. To enable this provider, you must restart the AD FS Windows Service on each server in the farm.
15. From the File menu, click Exit.

Restarting the AD FS Service

To complete the configuration of the Multi-Factor Authentication AD FS Adapter, we need to restart the Active Directory Federation Services service: While still logged on to the server running AD FS, open a command prompt as an administrator and run the following command: net stop adfssrv && net start adfssrv When done, close the command prompt.

Enabling multi-factor authentication in AD FS

Enabling multi-factor authentication

To enable MFA in AD FS, perform these actions:

1. While still logged on to the server running AD FS, open Server Manager.
2. In Server Manager, from the Tools menu in the ribbon, select AD FS Management.
3. In the left pane, select Authentication Policies.
4. In the main pane, scroll down a bit to Multi-Factor Authentication and then follow the Edit hyperlink next to the Global Settings.
   
5. On the Multi-factor tab, select WindowsAzureMultiFactorAuthentication as an additional authentication method to enable MFA.
6. Click OK when done.

Requiring multi-factor authentication for a relying party trust

The easiest way to require multi-factor authentication for a relying party trust is to use the built-in authentication policies in AD FS.

1. A little bit farther down the authentication policies, follow the Manage link to define custom settings per relying party.
2. From the list of relying parties, select the relying party trust (RPT) you want to edit and then select Edit Custom Multi-Factor Authentication… from the action pane on the right.
   
3. On the Multi-factor tab, select when to require MFA by selecting Extranet and/or Intranet.
4. Click OK to close the window and apply the settings.

Alternatively, you can use claims issuance authorization rules and define additional granularity for a specific RPT in the claims rule language.

Concluding

To configure AD FS for multi-factor authentication, use the Multi-Factor Authentication AD FS Adapter. Install the adapter on at least two servers. For optimal networking, connect those servers to the Multi-Factor Authentication Web Service SDK on at least two Multi-Factor Authentication Server installations. In the next and final post of my Azure Multi-Factor Authentication series I will discuss the delegation of administration.