Web Application Proxy



Similar documents
ADFS and Web Application Proxy

Basic principles of infrastracture security Impersonation, delegation and code injection

SCOM Infrastructure Recap

SAML-Based SSO Solution

How-to: Single Sign-On

How to Configure Captive Portal

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

SharePoint 2013 Logical Architecture

Load Balancing Microsoft AD FS. Deployment Guide

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

PingFederate. IWA Integration Kit. User Guide. Version 2.6

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Deploying F5 with Microsoft Active Directory Federation Services

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Introduction to the EIS Guide

Enabling single sign-on for Cognos 8/10 with Active Directory

Identity Server Guide Access Manager 4.0

NSi Mobile Installation Guide. Version 6.2

Office 365 deployment checklists

CERTIFICATES AND CRYPTOGRAPHY

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

ADFS for. LogMeIn and join.me authentication

CA Performance Center

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Installation and Configuration Guide

Leveraging SAML for Federated Single Sign-on:

Deploying the BIG-IP System v11 with Microsoft SharePoint 2010 and 2013

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Click Studios. Passwordstate. Installation Instructions

Flexible Identity Federation

Office 365 deploym. ployment checklists. Chapter 27

Deploying F5 with VMware View and Horizon View

Administrator Guide. v 11

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

ADFS Integration Guidelines

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Deploying F5 for Microsoft Office Web Apps Server 2013

Introductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP

Blue Coat Security First Steps Solution for Integrating Authentication

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

SAML-Based SSO Solution

TIBCO Spotfire Platform IT Brief

Administering Jive for Outlook

BlackBerry Enterprise Service 10. Version: Configuration Guide

Single Sign-on (SSO) technologies for the Domino Web Server

Deploying F5 to Replace Microsoft TMG or ISA Server

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Click Studios. Passwordstate. Installation Instructions

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

OVERVIEW. DIGIPASS Authentication for Office 365

Agenda. How to configure

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Deploying the BIG-IP System with Microsoft SharePoint

How To Use Netscaler As An Afs Proxy

Deploying F5 with Microsoft Dynamics CRM 2011 and 2013

Deploying RSA ClearTrust with the FirePass controller

Single sign-on for ASP.Net and SharePoint

Deploying the BIG-IP System with Oracle E-Business Suite 11i

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

Microsoft Office 365 Using SAML Integration Guide

Network Configuration/Bandwidth Planning Scope

RSA SecurID Ready Implementation Guide

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

USING FEDERATED AUTHENTICATION WITH M-FILES

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

EVault Endpoint Protection 7.0 Single Sign-On Configuration

SafeNet Authentication Service

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Deploying F5 with Microsoft Remote Desktop Services

Setup Guide Access Manager Appliance 3.2 SP3

Siteminder Integration Guide

DEPLOYMENT GUIDE DEPLOYING F5 WITH SAP NETWEAVER AND ENTERPRISE SOA

nexus Hybrid Access Gateway

Identity. Provide. ...to Office 365 & Beyond

Citrix Access on SonicWALL SSL VPN

v7.8.2 Release Notes for Websense Content Gateway

The increasing popularity of mobile devices is rapidly changing how and where we

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

vcloud Director User's Guide

Setup Guide Access Manager 3.2 SP3

Dell SonicWALL SRA 7.5 Citrix Access

SAML 2.0 SSO Deployment with Okta

Security Considerations for DirectAccess Deployments. Whitepaper

Perceptive Experience Single Sign-On Solutions

NETASQ SSO Agent Installation and deployment

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Transcription:

Application Proxy Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security CEH: Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com www.sevecek.com GOPAS: info@gopas,cz www.gopas.cz www.facebook.com/p.s.gopas Motivation TMG discontinued TCP/IP/ICMP/IPSec/etc. inspection fully replaced with Windows Firewall intrusion prevention filters included in Windows Defender and Microsoft Security Essentials problematic expansion of reverse HTTPS publishing Secure reverse HTTPS publishing Windows authentication at network perimeter Forms-based (cookie) authentication with non-browser fallback to Basic and/or persistent cookie 1

Principal scenario (internal HTTP or HTTPS) http://portal https://portal https://portal.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual Principal scenario (SharePoint, AAM) http://intranet https://sp.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual 2

Another bit of motivation SharePoint not everything requires authentication HTTP level protocol exploits many many many IIS modules to pass Reverse HTTPS proxy general requirements Require HTTPS from client possibly redirect to secure traffic rather do not redirect to discourage HTTPS strip minimize number of public TLS certificates Decrypt HTTPS at the perimeter possibly inspect, define rules or extend with third-party translate external URI to internal host names and paths forward different host header Authenticate users at the perimeter Windows authentication against Active Directory allow other authentication databases if necessary Forward user credentials to the application Windows authentication (WIA) delegation with Kerberos claims with Windows Identity Foundation 3

WAP on Windows 2012 R2 Require HTTPS from client possibly redirect to secure traffic rather do not redirect to discourage HTTPS strip minimize number of public TLS certificates Decrypt HTTPS at the perimeter possibly inspect, define rules or extend with third-party translate external URI to internal host names and paths forward different host header Authenticate users at the perimeter Windows authentication against Active Directory allow other authentication databases if necessary Forward user credentials to the application Windows authentication delegation with Kerberos claims with Windows Identity Foundation TLS SNI as a bonus over TMG plus Extended Protection for Authentication (NTLM mutual authenitcation) Wait. First make Kerberos work internally server GPS-WFE1 application accessible at http://portal Application pool running under ApplicationPoolIdentity IIS Windows Authentication enabled, Kernel Mode Authentication enabled DNS name portal.gopas.virtual = A Set serviceprincipalname (SETSPN) on GPS-WFE1 http/portal http/portal.gopas.virtual 4

Wait some more. Yet make Kerberos work internally even for SharePoint server GPS-SP application accessible at http://intranet Application pool running under sp-intranet-web IIS Windows Authentication enabled, Kernel Mode Authentication disabled DNS name intrnaet.gopas.virtual = A Set serviceprincipalname (SETSPN) on sp-intranetweb http/intranet http/intranet.gopas.virtual External authentication Reverse HTTPS Proxy Basic Windows NTLM Windows Kerberos Forms/cookie TLS client certificate 5

External authentication challenges External authentication Facts Internal forwarding Notes Basic plain-text TLS encrypted no SSO easy no browser sign-out no timeout non-browser clients Windows NTLM SSO Kerberos constrained delegation complicated sensitive Windows Kerberos not possible without direct contact with Kerberos constrained delegation impossible Forms/cookie plain-text no SSO session vs. persistent cookie easy claims SAML token sign-out timeout browser clients TLS client certificate safe against password guessing safe against HTTP exploits Kerberos constrained delegation claims SAML token only for "partners" can use smart-cards both clients Scenario with an authentication server http://portal http://portal RADIUS? https://portal.gopas.cz WAP 6

Scenario with ADFS authentication server https://portal https://portal.gopas.cz WAP ADFS Standard web-based authentication Active Directory Federation Services (ADFS) HTTP server providing several web based authentication mechanisms Active Directory (ADDS) Active Directory Lightweight Directory Services (ADLDS) any third party Produces claims or cookies in various formats WS-Trust or SAML-Token for active clients WS-Federation (SAML 1.1) and SAML 2.0 for passive clients OAuth for semi-passive clients Required by Office365/AzureAD for on-premises hybrid deployments 7

ADFS version history Version OS Notes ADFS 1.0 ADFS 1.1 Windows 2003 R2 Windows 2008 Windows 2008 R2 included runs in IIS included runs in IIS ADFS 2.0 Windows 2008 Windows 2008 R2 ADFS 2.1 Windows 2012 ADFS 3.0 Windows 2012 R2 download runs in IIS included runs in IIS included direct hosting on HTTP.SYS TLS SNI support PowerShell only config (plus HTML) Simple ADFS terminology GPS gopas.virtual WIA (Kerberos) Basic Forms Incoming claims ADFS Outgoing claims "Cookie" or "token" https://adfs.gopas.cz 8

ADFS internal testing GPS gopas.virtual WIA (Kerberos) Basic Forms ADFS https://adfs.gopas.cz ADFS public access with WAP acting as an ADFS proxy GPS gopas.virtual https://adfs.gopas.cz WAP (passive) (active) ADFS https://adfs.gopas.cz 9

ADFS configuration notes Must be Domain Admins member to install ADFS some stupid customer requirement Installer account must be sysadmin in DB ADFS service account gets serviceprincipalname Domain Admins can write it, does not require self registration Creates and AD container CN=Program Data,CN=Microsoft,CN=ADFS,CN=CertificateSharingContainer,=x NETSH HTTP SHOW SSLCERT NETSH HTTP SHOW SERVICESTATE findstr :443 WAP connects over Admin$ to ADFS ADFS service account must be member of WAAG if user attributes are to be used as filters on incoming claims Testing ADFS from browser F12 developer toolbar does not show authentication headers Fiddler with TLS inspection 10

Testing ADFS from browser https://adfs.gopas.cz/federationmetadata/2007-06/federationmetadata.xml anonymously available https://adfs.gopas.cz/adfs/ls/idpinitiatedsignon.htm manually initiated from browser https://adfs.gopas.cz/adfs/ls?wsignin1.0&wtrealm=https://portal.gopas.cz WS-Federation sign-in URL, you receive SAML1.1 token configured as: WS-Federation Passive Endpoints on the Endpoints tab https://adfs.gopas.cz/adfs/ls?samlrequest=base64request SAML2.0 sign-in URL, returns SAML2.0 token configured as: SAML Assertion Consumer Endpoints on the Endpoints tab https://adfs.gopas.cz/adfs/oauth2/authorize?response_type=code&client_id=11111111-2222-3333-4444-123456789012&redirect_uri=https://portal.gopas.cz&resource=https://portal.gopas.cz OAuth sign-in URL, returns OAuth token, only for active clients configured as: no endpoint plus use Get-Adfs and Add-Adfs sign-out https://adfs.gopas.cz/adfs/ls/?wa=wsignout1.0 https://adfs.gopas.cz/adfs/ls/?wa=wsignout1.0&wreply=https://www.google.cz Testing ADFS from browser Get-AdfsProperties requires extended protection for WIA to enable WIA for FireFox set ExtendedProtectionTokenCheck = 'None' type 'about:config', filter for 'ntlm', add 'adfs.gopas.cz' to 'network.automatic-ntlm-auth.trusted-uris' setting WIASupportedUserAgents MSIE, MSAuthHost/1.0/In-Domain, Trident/7.0, MSIPC, Windows Rights Management 11

HTTP cookies generally Name=Value; Name=Value;... Path=/subPath limited to a subpath Domain=.gopas.cz can enable cookie from a subdomain to go to other thirtlevel subdomains Expires=23-May-2015 22:13:08 GMT Max-Age=[seconds] expirations in browser are not enforced servers expire cookies themselves How ADFS knows what is internal and what is an external client ADFS proxy must forward requests with x-ms-proxy and x-ms-endpoint-absolute-path you cannot simply proxy internal WAP-ADFS communication with Fiddler, because it is mutually authenticated Any reverse web proxy supported, not just WAP 12

Testing ADFS from client use Fiddler to decrypt HTTPS use Windows Identity Foundation to request active responses cannot produce SAML 2.0 (SAML-Protocol) cookie based responses Publishing simple WIA web application http://portal Kerberos Delegation https://adfs.gopas.cz https://portal.gopas.cz WAP ADFS 13

Kerberos delegation requirements Kerberos working internally WAP-WEB http/portal http/portal.gopas.virtual or any arbitrary SPN specified in the WAP configuration Kerberos delegation for WAP server Trust this computer to specified services only, Use any authentication protocol WAP member of Windows Authorization Access Group (WAAG) restart WAP machine Alternative attribute stores LDAP connection string LDAP://localhost:11111/cn=Users,o=GOPAS ADFS authenticates against ADLDS with its service account SQL connection string =GPS-DATA;Database=PartnerAccounts;Integrated Security=True;Encrypt=True 14

Publishing SharePoint Best practice to run internal SP web on public name since the very start SharePoint must know the host name that client uses Running SharePoint on internal name WAP should always forward with the external host header WAP cannot define different host header for a different internal name/ip translation WAP must use HOSTS or internal DNS records Scenario for SharePoint publishing ok if non-host header web binding or the same public/private host header (maybe AAM) http://intranet host header https://sp.gopas.cz https://sp.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual 15

Extend web application first (maybe AAM) for host header web binding http://intranet http://sp.gopas.cz https://sp.gopas.cz https://sp.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual Thank you My training in GOPAS GOC166 - Advanced ADFS GOC167 - Troubleshooting Remote Access, VPN and DirectAccess GOC169 - ISO/IEC 2700x in Windows environment GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC175 - Advanced Windows Security GOC174 - SharePoint Troubleshooting 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information