Web Application Proxy

Similar documents
TLS Client Certificate and Smart Card Logon

Ing. Ondrej Sevecek Windows Server Product Manager GOPAS a.s.

MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security Certified Ethical Hacker CISA.

ADFS and Web Application Proxy

Cloud Access Manager Configuration Guide

Windows Authentication Concepts

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Webthority can provide single sign-on to web applications using one of the following authentication methods:

DELTA ADFS. As Built for Delta. PlanBcp SharePoint. 13-Oct-15. Information Architecture for Delta ADFS

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

SAML-Based SSO Solution

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Configure the Identity Provider for Cisco Identity Service to enable SSO

Qualys SAML & Microsoft Active Directory Federation Services Integration

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

TUT Integrating Access Manager into a Microsoft Environment November 2014

CERTIFICATES AND CRYPTOGRAPHY

How to Configure Authentication and Access Control (AAA)

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

SAML-Based SSO Solution

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Okta Integration Guide for Web Access Management with F5 BIG-IP

Five9 Plus Adapter for Agent Desktop Toolkit

ArcGIS Enterprise Administration

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0

Deploying F5 with Microsoft Active Directory Federation Services

Introduction. The Safe-T Solution

Advanced On-Prem SSRS 2017 for Non-AD Users. Dr. Subramani Paramasivam MVP & Microsoft Certified Trainer DAGEOP, UK

Modules Installation and Updating - SharePoint Page 0 of 23

O365 Solutions. Three Phase Approach. Page 1 34

Deploying F5 with Microsoft Active Directory Federation Services

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

IWA Integration Kit. Version 3.1. User Guide

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Configuring Alfresco Cloud with ADFS 3.0

Trusted Login Connector (Hosted SSO)

BI Office. Kerberos and Delegation Version 6.5

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org

Cloud Access Manager Overview

AD FS v3. Deployment Guide

Identity Provider for SAP Single Sign-On and SAP Identity Management

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

VMware Identity Manager Administration

Single Sign On (SSO) with Polarion 17.3

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

VIEVU Solution AD Sync and ADFS Guide

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

How does it look like?

Configuration Guide - Single-Sign On for OneDesk

Integrating YuJa Active Learning into ADFS via SAML

BusinessObjects Enterprise XI Release 2

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Microsoft Unified Access Gateway 2010

Extranet User Manager

SAP Security in a Hybrid World. Kiran Kola

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org, Inc

with Access Manager 51.1 What is Supported in This Release?

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Authentication Guide

ADFS Setup (SAML Authentication)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

API Security Management SENTINET

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

CA SiteMinder Federation

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

APM Cookbook: Single Sign On (SSO) using Kerberos

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Unified Secure Access Beyond VPN

Configuring SAML-based Single Sign-on for Informatica Web Applications

Spencer Harbar. Kerberos Part One: No ticket touting here, does SharePoint add another head?

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

D9.2.2 AD FS via SAML2

IBM Domino WEB Federated Login

Hybride Cloud Szenarien HHochverfügbar mit KEMP Loadbalancern. Köln am 10.Oktober 2017

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Configure Unsanctioned Device Access Control

SAS Viya 3.3 Administration: Authentication

MCM:Directory MVP:Enterprise Security CEH:Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

Authlogics Forefront TMG and UAG Agent Integration Guide

Transcription:

Application Proxy Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security CEH: Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com www.sevecek.com GOPAS: info@gopas,cz www.gopas.cz www.facebook.com/p.s.gopas Motivation TMG discontinued TCP/IP/ICMP/IPSec/etc. inspection fully replaced with Windows Firewall intrusion prevention filters included in Windows Defender and Microsoft Security Essentials problematic expansion of reverse HTTPS publishing Secure reverse HTTPS publishing Windows authentication at network perimeter Forms-based (cookie) authentication with non-browser fallback to Basic and/or persistent cookie 1

Principal scenario (internal HTTP or HTTPS) http://portal https://portal https://portal.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual Principal scenario (SharePoint, AAM) http://intranet https://sp.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual 2

Another bit of motivation SharePoint not everything requires authentication HTTP level protocol exploits many many many IIS modules to pass Reverse HTTPS proxy general requirements Require HTTPS from client possibly redirect to secure traffic rather do not redirect to discourage HTTPS strip minimize number of public TLS certificates Decrypt HTTPS at the perimeter possibly inspect, define rules or extend with third-party translate external URI to internal host names and paths forward different host header Authenticate users at the perimeter Windows authentication against Active Directory allow other authentication databases if necessary Forward user credentials to the application Windows authentication (WIA) delegation with Kerberos claims with Windows Identity Foundation 3

WAP on Windows 2012 R2 Require HTTPS from client possibly redirect to secure traffic rather do not redirect to discourage HTTPS strip minimize number of public TLS certificates Decrypt HTTPS at the perimeter possibly inspect, define rules or extend with third-party translate external URI to internal host names and paths forward different host header Authenticate users at the perimeter Windows authentication against Active Directory allow other authentication databases if necessary Forward user credentials to the application Windows authentication delegation with Kerberos claims with Windows Identity Foundation TLS SNI as a bonus over TMG plus Extended Protection for Authentication (NTLM mutual authenitcation) Wait. First make Kerberos work internally server GPS-WFE1 application accessible at http://portal Application pool running under ApplicationPoolIdentity IIS Windows Authentication enabled, Kernel Mode Authentication enabled DNS name portal.gopas.virtual = A Set serviceprincipalname (SETSPN) on GPS-WFE1 http/portal http/portal.gopas.virtual 4

Wait some more. Yet make Kerberos work internally even for SharePoint server GPS-SP application accessible at http://intranet Application pool running under sp-intranet-web IIS Windows Authentication enabled, Kernel Mode Authentication disabled DNS name intrnaet.gopas.virtual = A Set serviceprincipalname (SETSPN) on sp-intranetweb http/intranet http/intranet.gopas.virtual External authentication Reverse HTTPS Proxy Basic Windows NTLM Windows Kerberos Forms/cookie TLS client certificate 5

External authentication challenges External authentication Facts Internal forwarding Notes Basic plain-text TLS encrypted no SSO easy no browser sign-out no timeout non-browser clients Windows NTLM SSO Kerberos constrained delegation complicated sensitive Windows Kerberos not possible without direct contact with Kerberos constrained delegation impossible Forms/cookie plain-text no SSO session vs. persistent cookie easy claims SAML token sign-out timeout browser clients TLS client certificate safe against password guessing safe against HTTP exploits Kerberos constrained delegation claims SAML token only for "partners" can use smart-cards both clients Scenario with an authentication server http://portal http://portal RADIUS? https://portal.gopas.cz WAP 6

Scenario with ADFS authentication server https://portal https://portal.gopas.cz WAP ADFS Standard web-based authentication Active Directory Federation Services (ADFS) HTTP server providing several web based authentication mechanisms Active Directory (ADDS) Active Directory Lightweight Directory Services (ADLDS) any third party Produces claims or cookies in various formats WS-Trust or SAML-Token for active clients WS-Federation (SAML 1.1) and SAML 2.0 for passive clients OAuth for semi-passive clients Required by Office365/AzureAD for on-premises hybrid deployments 7

ADFS version history Version OS Notes ADFS 1.0 ADFS 1.1 Windows 2003 R2 Windows 2008 Windows 2008 R2 included runs in IIS included runs in IIS ADFS 2.0 Windows 2008 Windows 2008 R2 ADFS 2.1 Windows 2012 ADFS 3.0 Windows 2012 R2 download runs in IIS included runs in IIS included direct hosting on HTTP.SYS TLS SNI support PowerShell only config (plus HTML) Simple ADFS terminology GPS gopas.virtual WIA (Kerberos) Basic Forms Incoming claims ADFS Outgoing claims "Cookie" or "token" https://adfs.gopas.cz 8

ADFS internal testing GPS gopas.virtual WIA (Kerberos) Basic Forms ADFS https://adfs.gopas.cz ADFS public access with WAP acting as an ADFS proxy GPS gopas.virtual https://adfs.gopas.cz WAP (passive) (active) ADFS https://adfs.gopas.cz 9

ADFS configuration notes Must be Domain Admins member to install ADFS some stupid customer requirement Installer account must be sysadmin in DB ADFS service account gets serviceprincipalname Domain Admins can write it, does not require self registration Creates and AD container CN=Program Data,CN=Microsoft,CN=ADFS,CN=CertificateSharingContainer,=x NETSH HTTP SHOW SSLCERT NETSH HTTP SHOW SERVICESTATE findstr :443 WAP connects over Admin$ to ADFS ADFS service account must be member of WAAG if user attributes are to be used as filters on incoming claims Testing ADFS from browser F12 developer toolbar does not show authentication headers Fiddler with TLS inspection 10

Testing ADFS from browser https://adfs.gopas.cz/federationmetadata/2007-06/federationmetadata.xml anonymously available https://adfs.gopas.cz/adfs/ls/idpinitiatedsignon.htm manually initiated from browser https://adfs.gopas.cz/adfs/ls?wsignin1.0&wtrealm=https://portal.gopas.cz WS-Federation sign-in URL, you receive SAML1.1 token configured as: WS-Federation Passive Endpoints on the Endpoints tab https://adfs.gopas.cz/adfs/ls?samlrequest=base64request SAML2.0 sign-in URL, returns SAML2.0 token configured as: SAML Assertion Consumer Endpoints on the Endpoints tab https://adfs.gopas.cz/adfs/oauth2/authorize?response_type=code&client_id=11111111-2222-3333-4444-123456789012&redirect_uri=https://portal.gopas.cz&resource=https://portal.gopas.cz OAuth sign-in URL, returns OAuth token, only for active clients configured as: no endpoint plus use Get-Adfs and Add-Adfs sign-out https://adfs.gopas.cz/adfs/ls/?wa=wsignout1.0 https://adfs.gopas.cz/adfs/ls/?wa=wsignout1.0&wreply=https://www.google.cz Testing ADFS from browser Get-AdfsProperties requires extended protection for WIA to enable WIA for FireFox set ExtendedProtectionTokenCheck = 'None' type 'about:config', filter for 'ntlm', add 'adfs.gopas.cz' to 'network.automatic-ntlm-auth.trusted-uris' setting WIASupportedUserAgents MSIE, MSAuthHost/1.0/In-Domain, Trident/7.0, MSIPC, Windows Rights Management 11

HTTP cookies generally Name=Value; Name=Value;... Path=/subPath limited to a subpath Domain=.gopas.cz can enable cookie from a subdomain to go to other thirtlevel subdomains Expires=23-May-2015 22:13:08 GMT Max-Age=[seconds] expirations in browser are not enforced servers expire cookies themselves How ADFS knows what is internal and what is an external client ADFS proxy must forward requests with x-ms-proxy and x-ms-endpoint-absolute-path you cannot simply proxy internal WAP-ADFS communication with Fiddler, because it is mutually authenticated Any reverse web proxy supported, not just WAP 12

Testing ADFS from client use Fiddler to decrypt HTTPS use Windows Identity Foundation to request active responses cannot produce SAML 2.0 (SAML-Protocol) cookie based responses Publishing simple WIA web application http://portal Kerberos Delegation https://adfs.gopas.cz https://portal.gopas.cz WAP ADFS 13

Kerberos delegation requirements Kerberos working internally WAP-WEB http/portal http/portal.gopas.virtual or any arbitrary SPN specified in the WAP configuration Kerberos delegation for WAP server Trust this computer to specified services only, Use any authentication protocol WAP member of Windows Authorization Access Group (WAAG) restart WAP machine Alternative attribute stores LDAP connection string LDAP://localhost:11111/cn=Users,o=GOPAS ADFS authenticates against ADLDS with its service account SQL connection string =GPS-DATA;Database=PartnerAccounts;Integrated Security=True;Encrypt=True 14

Publishing SharePoint Best practice to run internal SP web on public name since the very start SharePoint must know the host name that client uses Running SharePoint on internal name WAP should always forward with the external host header WAP cannot define different host header for a different internal name/ip translation WAP must use HOSTS or internal DNS records Scenario for SharePoint publishing ok if non-host header web binding or the same public/private host header (maybe AAM) http://intranet host header https://sp.gopas.cz https://sp.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual 15

Extend web application first (maybe AAM) for host header web binding http://intranet http://sp.gopas.cz https://sp.gopas.cz https://sp.gopas.cz Reverse HTTPS Proxy GPS gopas.virtual Thank you My training in GOPAS GOC166 - Advanced ADFS GOC167 - Troubleshooting Remote Access, VPN and DirectAccess GOC169 - ISO/IEC 2700x in Windows environment GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC175 - Advanced Windows Security GOC174 - SharePoint Troubleshooting 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback