ADFS Claims woes again!

Iron Contributor

A few weeks ago, I posted about an issue with a claims rule to restrict external OWA access unless user is in an AD group.  Now I am looking to do the same with Outlook/ mobile devices - only allow access if user is a member of an AD group.  My ADFS enviornment is load balanced in Azure - on Win 2012 R2.

 

I am using this technet blog post as a general direction - but I am not seeing what I would expect.  Trying to step into it,  I figured I would first try to block ALL external outlook with this rule:

 

exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
&& exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.RPC|Microsoft.Exchange.WebServices"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

I read this as:  (hopefully I am correct)

IF (inside corporate network = false AND Claim = Active AND  (application = RPC OR EWS))

THEN deny claim.

 

Once I get the above nailed down, it seems that I should be able to just add in the security group filter.

 

Any assistance would be appreciated.

Thanks

Steve

 

4 Replies

The blog post is a bit too old and does not take Modern authentication in account. I've put some pointers here: http://blog.enowsoftware.com/solutions-engine/ad-fs-claims-rules-and-modern-authentication

Thanks for this - it was an interesting read.  I have adjusted my rules and I feel like I am missing it in the other direction.  When I originally posted - I felt like people that should be getting blocked were allowed in.  Now I am in the reverse situation, everyone is blocked.

 

In my lab I am Office 2016 - Modern Authentication is NOT enabled.


Here is where I am at:

exists([Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"])
 && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/services/trust/2005/usernamemixed"])
 && exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync|Microsoft.Exchange.AutoDiscover"])
 && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-21-2560775519-1142356162-513121369-2108"])
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

if(insidecorporatenetwork = false and claim = active and application = (activesync OR autodiscover) and user not in allow_group) then deny.  Right?

The above seems to deny whether the user is in the allow group or not?!?  I believe I see all of the claims I want to see in my 500, 501 events in my security log?!?  

 

Am I missing something obvious??

 

EDIT:  Maybe I do have this and my testing has been invalid?  Today I decided to start from scratch and rebuild all of my outlook profiles for my 3 test users.  This is where I am confused.  I cannot add the account to an Outlook client even if the user is in the group to allow access.  However, I just re-enabled some 2 of the accounts on my phone (ios mail app) and the user that should have access is able to get in.  A user that should not, does not.  Is there something different going on with adding the profile to Outlook?  I also tried to do some testing using the exchange connectivity tester and saw desired results.  Would that be considered an accurate test?  Really hoping to nail this down as my O365 trial expires tomorrow. 

 

Thanks,

Steve

Try chaning "AutoDiscover" to "Autodiscover" as by default claims rules are case sensitive.

Thank you again!

 

Now I am seeing a Microsoft.Exchange.Mapi in my log.  I haven't seen that yet.   Still not able to block anyone - but I will have to dig in to find out why this header is coming through.  I don't believe that I have seen this in any of the technet examples that I have read.

 

-Steve