cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ADFS Clear text password visible

Preeti Kawa
Copper Contributor

‎Nov 14 2017 03:38 AM

‎Nov 14 2017 03:38 AM

ADFS Clear text password visible

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool & found VA. When the user tried to access the portal from Outside network, it will be redirected to ADFS proxy page. The user will provide the credentials, and we started interceptor tool and this tool retrieved the credentials which is passed through viewstate in clear text format. But when we used the same tool to access bank sites (they may use form based authentication and credentials are encrypted) and tool retrieved the credentials in encrypted form. Need support in blocking VA point of clear text password visible.

Labels:
4,880 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by VI_Migration (Silver Contributor)
Nestori Syynimaa

‎Nov 29 2017 08:48 PM

‎Nov 29 2017 08:48 PM

Solution

Re: ADFS Clear text password visible

I'm not quite sure what the problem is or where the interceptor you mentioned is located. 

 

When user enters credentials in AD FS proxy, they are plain text. But the connection between user's browser and AD FS proxy is SSL secured and so is the connection between AD FS proxy and AD FS server.

1 Like
Reply
nikhil gadgil

‎Oct 09 2018 09:12 PM

‎Oct 09 2018 09:12 PM

Re: ADFS Clear text password visible

I have also witnessed the same thing, inside browse if you inspect the connection, the username, and password visible in plain text and it is very much visible to anyone who gains access to the pc/browser.

 

Microsoft is relying on TLS connection when the communication from Browser to the server and further to Kerberos process happen. That is perfect no issue on it.

 

However, in case the malicious agent gain access to a browser and it is very much possible It’s easy for him to find the password and username.

The tool is used for SSO hence this password will be enabled him/her to gain access to all the application.

 

In my opinion, the formfactor authentication should be encrypted at least the password at the time user has entered.

@Preeti Kawa wrote:

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool & found VA. When the user tried to access the portal from Outside network, it will be redirected to ADFS proxy page. The user will provide the credentials, and we started interceptor tool and this tool retrieved the credentials which is passed through viewstate in clear text format. But when we used the same tool to access bank sites (they may use form based authentication and credentials are encrypted) and tool retrieved the credentials in encrypted form. Need support in blocking VA point of clear text password visible.

@Preeti Kawa wrote:

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool & found VA. When the user tried to access the portal from Outside network, it will be redirected to ADFS proxy page. The user will provide the credentials, and we started interceptor tool and this tool retrieved the credentials which is passed through viewstate in clear text format. But when we used the same tool to access bank sites (they may use form based authentication and credentials are encrypted) and tool retrieved the credentials in encrypted form. Need support in blocking VA point of clear text password visible.


 

0 Likes
Reply
niyaz5x

‎Jul 17 2023 03:21 AM

‎Jul 17 2023 03:21 AM

Re: ADFS Clear text password visible

Have you got the root cause.
0 Likes
Reply
Kidd_Ip

‎Jul 21 2023 08:17 PM

‎Jul 21 2023 08:17 PM

Re: ADFS Clear text password visible

@Preeti Kawa 

Check your SSO setup, using SAML?

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Nestori Syynimaa

‎Nov 29 2017 08:48 PM

‎Nov 29 2017 08:48 PM

Solution

Re: ADFS Clear text password visible

I'm not quite sure what the problem is or where the interceptor you mentioned is located. 

 

When user enters credentials in AD FS proxy, they are plain text. But the connection between user's browser and AD FS proxy is SSL secured and so is the connection between AD FS proxy and AD FS server.

View solution in original post

1 Like
Reply