Forum Discussion
ADFS Claims Based Rules - I'm stuck!
Which version are you using? x-ms-proxy only works with the 2008 R2 version, if you are on 2012 R2 you should use insidecorporatenetwork. If your clients are Office 2016/Office 2013 SP1, you most likely have modern authentication enabled and all traffic will be hitting the passive endopoint (/adfs/ls), so you should account for this. To monitor the rules, check your event logs (assuming auditing is enabled for AD FS).
Which version are you using? x-ms-proxy only works with the 2008 R2 version, if you are on 2012 R2 you should use insidecorporatenetwork. If your clients are Office 2016/Office 2013 SP1, you most likely have modern authentication enabled and all traffic will be hitting the passive endopoint (/adfs/ls), so you should account for this. To monitor the rules, check your event logs (assuming auditing is enabled for AD FS).
Thank you for the response!
My clients are running Office 2013 (not sure on service pack version) OR some Office 2016. I do not believe that I have Modern Authentication turned on because I knew that everything would present itself as passive. I figured I would cross that bridge once I got my entire environment to v2016.
My servers are 2012 R2.
I have been looking at my event logs and cannot see what I would expect to see. May have to do with the proxy vs insidecorporatenetwork. I will give this a shot and post back.
Thank you again
Steve
Modern auth is enabled by default on Office 2016, so definitely check for that. But yes. the first priority should be changing the rules to use insidecorporatenetwork if you are on 2012 R2.
I have had some success with using insidecorporatenetwork and as a result I am trying to re-engineer my rules. I am currently trying to block OWA for users outside our walls and NOT in a specific security group. I am not having luck. Here is my rule:
exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b1XX.XXX.XX.4]\b"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2107\b"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
The user I am testing with is not a member of my Allow OWA group, and therefore I would expect the attempt to fail. If I look in my event log here is what I see for this particular authentication attempt - which succeeds.
These are all event id 500 or 501:
Issued identity: http://schemas.xmlsoap.org/claims/UPN shelleyc@mycompany.com http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID <redacted> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier <redacted> http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Caller identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn shelleyc@mycompany.local http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc http://schemas.microsoft.com/claims/authnmethodsreferences urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 Caller identity: http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id 1f08feb8-927f-4e6f-ad8a-0859da3a4398 http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid https://login.microsoftonline.com/login.srf http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 66.XXX.XX.19 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 66.XXX.XX.19 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip 40.XXX.XXX.225 - - - - - - - - - - Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-2 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path /adfs/ls/ http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork false http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy sic-wap-a Caller identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn shelleyc@mycompany.local http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc http://schemas.microsoft.com/claims/authnmethodsreferences urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-2 - - - - - - - - Issued identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn shelleyc@mycompany.local http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 Issued identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-1 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc - - - - - - - - - Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com Caller identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-1
The missing piece is this user does not match the groupsid in the rule - which I would expect to issue a deny???
Thanks
Steve
There seems to be an extra bracket in the rule you entered:
Value =~ "\b1XX.XXX.XX.4]\b"
Also, try doing exact match agains the group SID, for example:
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-...."])
Lastly, I'd recommend avoiding the use of both insidecorporatenetwork and x-ms-forwarded-client-ip in the same rule.