Forum Discussion
ADFS Claims Based Rules - I'm stuck!
In my environment we are running Exchange 2013 Hybrid. All mailboxes are in O365. We have certain requirements around our implementation that require ADFS. With that being said, I am really struggling with coming up with the set of claims based rules to accomplish my goal. Our ADFS environment is in Azure (vpn to on-prem network, 1 DC, 2 ADFS servers, 2 ADFS Proxy). Federation itself is up and running fine. I feel like I have read the same handful of technet / blog post articles on setting this up but I must be missing something. I am also struggling with being able to debug / trace to see excatly which claims are coming in with their values to determine why I am not getting expected results
Here are the scenarios that I need (and have rules for):
1. Block external Outlook access unless user is in the ADFS_Allow External Outlook AD Security Group
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.Autodiscover|Microsoft.Exchange.OfflineAddressBook|Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\bXXX\.XXX\.XXX\.XXX\b|\bXX\.XX\.XX\.XX\b|\bXX\.XX\.XX\.XX\b"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-XXXX-XXXX-XXXX-XXX2\b"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
2. Block external OWA unless user is in the ADFS_Allow External OWA AD Security Group
exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-XXXX-XXXX-XXX-XXX\b"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\bXXX\.XXX\.XXX\.XX]\b|\bXX\.XXX\.XX\.XX\b|\bXX\.XX\.XX\.XX\b"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
In both examples the IP addresses included in the regex are the public IP addresses of our 3 locations. IP and SID have been redacted.
I have looked at the insidecorporatenetwork rule vs the proxy / forwarded-client-ip -- and either way, I can't seem to get anywhere. I would really love to be able to trace end-to-end to view all of the claims and values to understand why someone is allowed / denied access.
Any help in pointing me in the right direction would be greatly appreciated.
Steve
Which version are you using? x-ms-proxy only works with the 2008 R2 version, if you are on 2012 R2 you should use insidecorporatenetwork. If your clients are Office 2016/Office 2013 SP1, you most likely have modern authentication enabled and all traffic will be hitting the passive endopoint (/adfs/ls), so you should account for this. To monitor the rules, check your event logs (assuming auditing is enabled for AD FS).
13 Replies
Which version are you using? x-ms-proxy only works with the 2008 R2 version, if you are on 2012 R2 you should use insidecorporatenetwork. If your clients are Office 2016/Office 2013 SP1, you most likely have modern authentication enabled and all traffic will be hitting the passive endopoint (/adfs/ls), so you should account for this. To monitor the rules, check your event logs (assuming auditing is enabled for AD FS).
Thank you for the response!
My clients are running Office 2013 (not sure on service pack version) OR some Office 2016. I do not believe that I have Modern Authentication turned on because I knew that everything would present itself as passive. I figured I would cross that bridge once I got my entire environment to v2016.
My servers are 2012 R2.
I have been looking at my event logs and cannot see what I would expect to see. May have to do with the proxy vs insidecorporatenetwork. I will give this a shot and post back.
Thank you again
Steve
Modern auth is enabled by default on Office 2016, so definitely check for that. But yes. the first priority should be changing the rules to use insidecorporatenetwork if you are on 2012 R2.
Trevor Seward gave a presentation on configuring ADFS in Azure yesterday, he may be able to offer some assistance.
