Summary
This document will guide you through the steps to enable federation and multifactor authentication for Microsoft RDWeb.
System Requirements
- PhenixID Authentication Server 2.0 or higher
- Microsoft RDWeb installed and configured
- Identity Foundation 3.5/4.0 (on RDWeb server)
- Identity Foundation SDK 4.0 (on RDWeb server)
- Claims to Windows token service enabled (on RDWeb server)
- Microsoft ADFS installed (can be same machine as RDWeb or other machine)
Instruction
Overview
This document will guide you through the steps to enable federation and multifactor authentication for Microsoft RDWeb.
This will be done by using the services mentioned above.
PhenixID Server acting as SAML IdP
- Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
- Then export your SAML IdP metadata by going to the URL:
https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
and download the metadata to a xml file.
Configure ADFS with Claimsprovider and rules
We will add a claimsprovider by adding the SAML metadata. Two rules will be configured for the claimsprovider.
- Start AD FS Management
- Click Trust Relationships/Claims Provider Trusts
- Right click and choose “Add Claims Provider Trust…”
- Choose a method to import your metadata
- Display name, just click next
- Click next until close
- Claim rules, add rule…
- Template, “Pass Through or Filter an Incoming Claim”
- Set a rule name
- “Incoming claim type” = Name ID
- “Incoming named ID format” = Unspecified
- Finish
Export metadata from ADFS/Import metadata to IdP
- Open a web browser and go to the URL:
https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml - Save data to file (in the example below named adfs_demo_FederationMetadata.xml)
- This metadata will now be imported to PhenxID Server acting as IdP
- Put the file in /resources
- Restart the service
- Now go to PhenixID Configuration portal and login
- Go to tab Configuration
- Verify the file has been imported under Resources
- Go to SAML 2 meta loading
- Add entity id data as id and resource should be set to the metadata exported file name, example:
{
“id”: “http://adfs.demo.phenixid.net/adfs/services/trust”,
“resource”: “adfs_demo_FederationMetadata.xml”
} - Then press stage/commit changes
- Depending on your configuration, on the AssertionProvider valve (in Pipes section), change the sourceID and audienceRestriction parameters to match the imported metadata id, example:
{
“name”: “AssertionProvider”,
“config”: {
“targetEntityID”: “PhenixID_IdP_RDWEB_DEMO”,
“nameIDAttribute”: “userPrincipalName”,
“sourceID”: “http://adfs.demo.phenixid.net/adfs/services/trust”,
“misc”: {
“excludeSubjectNotBefore”: “true”
},
“audienceRestriction”: “http://adfs.demo.phenixid.net/adfs/services/trust”
}
} - Then press stage/commit changes
- Test login to ADFS (will not go all the way):
https://adfs.demo.phenixid.net/adfs/ls/idpinitiatedsignon - Open properties for claims provider created earlier, go to Advanced and change the “Secure hash algorithm” to SHA-1
RDWeb server configuration
On the RDWeb server the following services needs to be installed:
Windows Identity Foundation 3.5/4.0
Windows Identity Foundation SDK 4.0
- Open “C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config”
- Add <add value=”IIS APPPOOL\RDWebAccess” /> to the section <allowedCallers>
- Save and close the file
- Open a command prompt window and enter “sc config c2wts depend= CryptSvc”
- Open “Services” on the MS RDWeb server
- Start the service “Claims to Windows token service”
- Make sure that “Claims to Windows token service” is set to automatic and that Cryptographic Service is listed in the dependencies tab.
- Run c:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\fedutil.exe
- Point to the RDWeb application web.config file. Enter the RDWeb web application URI, for example:
https://adfs.demo.phenixid.net/RDWeb/Pages/ - Select “Use an existing STS”. Enter the federation metadata url to the ADFS server.
(https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml) - Set certificate chain validation according to your environment
- Se encryption according to your environment
- Press next and then Finish
- We need to change a setting in the RD Web Access Application Pool, so open the IIS Manager,
select Application Pools, right-click the RDWebAccess pool, and then Advanced Settings. Set “Load User Profile” to “True” - Make a copy of C:\Windows\Web\RDWeb\Pages\web.config”
- Open “C:\Windows\Web\RDWeb\Pages\web.config”
- If not already present, add the following to the section <configuration>:
<configSections>
<section name=”microsoft.identityModel” type=”Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
</configSections> - In the section <system.web> add the following lines:
<httpRuntime requestValidationMode=”2.0″ />
<pages validateRequest=”false” /> - In the section <system.web> verify the following settings:
<authorization><deny users= “?” /></authorization>
<authentication mode= “None” /> - Make sure thet the start of the <modules> is set like this:
<modules runAllManagedModulesForAllRequests=”true”> - In the <modules> section remove the following line (if present):
<add name=”RDWAFormsAuthenticationModule” type=”Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication” /> - In the <modules> section make sure that these lines are present:
<add name=”WSFederationAuthenticationModule” type=”Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ preCondition=”managedHandler” />
<add name=”SessionAuthenticationModule” type=”Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ preCondition=”managedHandler” /> - In the section microsoft.identityModel->service, add the following:
<securityTokenHandlers>
<remove type=”Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ />
<add type=”Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″>
<sessionTokenRequirement useWindowsTokenService=”true”/>
</add>
<add type=”Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″>
<samlSecurityTokenRequirement mapToWindows=”true” useWindowsTokenService=”true” />
</add>
</securityTokenHandlers> - Enable UPN, under microsoft.identityModel -> service -> applicationService -> claimTypeRequired, unmark this line:
<!–<claimType type=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” optional=”true” />–> - Save the file
- Run iisreset
Trust between ADFS and RDWeb
- Go to ADFS 2.0 Management
- Click “Relying party trust”
- “Add Relying Party Trust
- Choose a method to import your metadata
- Enter display name
- Do NOT Configure MFA
- Permit all users to access this relying party
- Press next and then close
- Add the following to Rules:
Transform an incoming claim, enter rule name, Incoming claim type=Name ID, Incomin name ID format=Unspecified, Outgoing claim type=UPN, Outgoing name ID format=Unspecified
Pass Through or Filter an Incoming Claim, enter rule name, Incoming claim type=UPN, Incomin name ID format=Unspecified - Then press Finish
Example, Idp pipe in PhenixID Server
{
“id”: “pipeunpwrdweb_demo”,
“valves”: [
{
“name”: “LDAPSearchValve”,
“config”: {
“connection_ref”: “MyAD”,
“base_dn”: “DC=demo,DC=phenixid,DC=net”,
“scope”: “SUB”,
“size_limit”: “0”,
“filter_template”: “(&(objectclass=*)(sAMAccountName={{request.username}}))”,
“attributes”: “userPrincipalName”
}
},
{
“name”: “LDAPBindValve”,
“config”: {
“connection_ref”: “MyAD”,
“password_param_name”: “password”,
“skip_if_expr”: “request.authenticatedrequest==’true'”
}
},
{
“name”: “AssertionProvider”,
“config”: {
“targetEntityID”: “PhenixID_IdP_RDWEB_DEMO”,
“nameIDAttribute”: “userPrincipalName”,
“sourceID”: “http://adfs.demo.phenixid.net/adfs/services/trust”,
“misc”: {
“excludeSubjectNotBefore”: “true”
},
“audienceRestriction”: “http://adfs.demo.phenixid.net/adfs/services/trust”
}
}
]
}
Test
- Browse to https://<rd_web_server>/RDWeb/Pages/
- This should result in a redirect to ADFS server
- Select organization on ADFS server
(This step can be removed by configuration, https://authenticationfactor.wordpress.com/2014/06/18/adfs-3-0-playing-with-authentication/ -> Force specific Claims Provider(s) per relying party) - This should result in a redirect to PhenixID Authentication Server
- Authenticate
- If authentication was successful, a redirect to ADFS should occur (with SAML assertion)
- A redirect to RDWeb should occur
Troubleshooting tips
Verify trust between ADFS and PhenixID Authentication Services
- Browse to https://<adfs_server>/adfs/ls/idpinitiatedsignon.aspx
- Click Sign in
- Select organization
- This should result in a redirect to PhenixID Authentication Server
- Authenticate
- If authentication was successful, a redirect to ADFS should occur (with SAML assertion)
- ADFS should present “You are signed in”
The file web.config
There are some changes being made to the file web.config.
If there is something wrong in the file, a 500 message will be dislayed.
To see more information about the issue, please use Microsoft Internet Explorer.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se