Forum Discussion
ADFS Claims Based Rules - I'm stuck!
Which version are you using? x-ms-proxy only works with the 2008 R2 version, if you are on 2012 R2 you should use insidecorporatenetwork. If your clients are Office 2016/Office 2013 SP1, you most likely have modern authentication enabled and all traffic will be hitting the passive endopoint (/adfs/ls), so you should account for this. To monitor the rules, check your event logs (assuming auditing is enabled for AD FS).
I have had some success with using insidecorporatenetwork and as a result I am trying to re-engineer my rules. I am currently trying to block OWA for users outside our walls and NOT in a specific security group. I am not having luck. Here is my rule:
exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b1XX.XXX.XX.4]\b"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "\bS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2107\b"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
The user I am testing with is not a member of my Allow OWA group, and therefore I would expect the attempt to fail. If I look in my event log here is what I see for this particular authentication attempt - which succeeds.
These are all event id 500 or 501:
Issued identity: http://schemas.xmlsoap.org/claims/UPN shelleyc@mycompany.com http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID <redacted> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier <redacted> http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Caller identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn shelleyc@mycompany.local http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc http://schemas.microsoft.com/claims/authnmethodsreferences urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 Caller identity: http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id 1f08feb8-927f-4e6f-ad8a-0859da3a4398 http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid https://login.microsoftonline.com/login.srf http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 66.XXX.XX.19 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 66.XXX.XX.19 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip 40.XXX.XXX.225 - - - - - - - - - - Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-2 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path /adfs/ls/ http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork false http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy sic-wap-a Caller identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn shelleyc@mycompany.local http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc http://schemas.microsoft.com/claims/authnmethodsreferences urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-2 - - - - - - - - Issued identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn shelleyc@mycompany.local http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2016-10-28T18:16:55.203Z http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 Issued identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-1 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc - - - - - - - - - Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname mycompany\shelleyc http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn shelleyc@mycompany.com Caller identity: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name mycompany\shelleyc http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-2104 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-18-1
The missing piece is this user does not match the groupsid in the rule - which I would expect to issue a deny???
Thanks
Steve
There seems to be an extra bracket in the rule you entered:
Value =~ "\b1XX.XXX.XX.4]\b"
Also, try doing exact match agains the group SID, for example:
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-...."])
Lastly, I'd recommend avoiding the use of both insidecorporatenetwork and x-ms-forwarded-client-ip in the same rule.
Looks like I finally got this - turns out I was missing a "/" on the "/adfs/ls" portion of the rule.
exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-XXX-XXX-XXX-2107"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
Thank you for your help with this. Now on to doing the same thing with outlook access
Steve
Stephen,
Were you ever able to "Block external Outlook access unless user is in the ADFS_Allow External Outlook AD Security Group"? If so, would you be able to share the syntax you used to accomplish the task please? Also, is Modern Authentication enbled in your tenant?
Thank you,
Kevin
Kevin --
I never got it to work - but to be honest, I had to put it down and work on other, higher priority projects. That being said - I had a rule that seemed to work *sometimes*, and I couldn't pin down exactly what was going on. I did learn a lot about reading the logs and I intend to pick this up again in the future.
I believe this is where I left off:
exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-xxx-xxx-xxx-xxxx"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"]) && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "???????"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
I believe the x-ms-client-application should be Microsoft.Exchange.RPC OR Microsoft.Exchange.ActiveSync (not sure on the case), OR Microsoft.Exchange.Autodiscover (not sure on case), OR Microsoft.Exchange.Webservices. I just never got the syntax quite right.
Also - my clients are not using modern authentication. Last I knew, all modern authentication traffic presented itself to the adfs/ls endpoint and thus - you could not decipher active from passive connections. Maybe that has changed in the past couple of months?!?!
If this helps or you end up getting the rule right - please let me know. I would love ot have someone working in toward the same goal to bounce ideas off of.
Thanks
sb
