ADFS Cert problem

ntr2def
ntr2def used Ask the Experts™
on
I currently have a lab one adfs server and one web app proxy. I can access adfs when i attempt to logon against portal.office.com. However when I swith to using Certificate Auth. the moment i select sign in using x.509 certificate the next page says "Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again."However I do not get a screen to select my user certificate. Both servers have the root ca from my own AD CA. any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Make sure you are not blocking port 49443: https://technet.microsoft.com/en-us/library/dn554247.aspx

In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers).

Also, there were some known issues with Firefox, in case you are using that try a different browser,

Author

Commented:
Port 49443 is already enabled inbound I've also tested that I can reach it with no problem over that port, so that isnt the case. I've also used Chrome, Edge and IE as far as browsers are concerned.

Author

Commented:
I should add that the lab is in Azure and I have the endpoint defined for 49443 to the web app proxy
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Having it in Azure might be a problem, this means that you have a CNAME record for the AD FS FQDN and I'm not sure if certificate auth will work in such scenario.
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Actually, Azure seems to be OK. I brought my AD FS VM in Azure Online and it seems to work fine.

Have you checked the SSL bindings? Is 49443 listed there, is it associated with the AD FS app, does it have Negotiation enabled? Especially if you have changed the certificate in the past.

Author

Commented:
As far as I can tell when I do a get-adfsSslCertificate it shows the public cert sts.hostname.net bound to 49443 when you say is the negotiation enabled are you talking about if the endpoint is enabled for certificatemixed?

Author

Commented:
Negotiate Client Certificate is Enabled as well:
Hostname:port                : sts.hostname.net:49443
Certificate Hash             : removed
Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name       : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Enabled
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Perhaps I spoke too soon, I seem to have it working at times only. IE in particular doesnt seem to display the certificate selector popup, or it automatically selects it (if only one cert is present).

The setup above seems correct. You might need a binding for 0.0.0.0:49443 is you are using wildcard certificate in order to handle non-SNI capable clients, but that's another issue.

I'm out of ideas. Check the Event logs, the AD FS admin one might give some clue. Other than that, Fiddler traces...

Author

Commented:
I did a fiddler trace and selected the user cert

I got an error now:

An error occurred
Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information.

Activity ID: 00000000-0000-0000-3900-0080000000e1
Relying party: Microsoft Office 365 Identity Platform
Error time: Fri, 15 Jan 2016 01:48:26 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36

In the correlating Event on the ADFS server:

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: There is a problem with the X509Certificate provided by the client. The error code is: -2146762487
   at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

ADFS Audit Log:

An HTTP request was received.

Activity ID: 00000000-0000-0000-3900-0080000000e1

Request Details:
    Date And Time: 2016-01-15 01:48:26
    Client IP: 10.1.0.37
    HTTP Method: POST
    Url Absolute Path: /adfs/ls/
    Query string: ?lc=1033&username=test.user%4hostname.net&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIAbNSzigpKSi20tcvyC8qSczRy09Ly0xO1UvOz9XLL0rPTAGxioS4BIp8he7ZcNr49Ncyizpc2lC4ilENp079nMS8lMy8dL3E4oKKC4yMXUwshgbGxpuYWH2dfZ08TzBNOCt3i0nQvyjdMyW82C01JbUosSQzP-8RE29ocWqRf15OZUh-dmreJGa-nPz0zLz44qK0-LSc_HKgAND4gsTkkviSzOTs1JJdzCpmlpYmJsaGJrrJiYbJuiZm5ka6lmlG5rppxqnJxqlJJmapaYkHWDaEXGAR-MHCuIvTljhn25ckFqWnltiqGqWlAE0ozSkBCwMA0&popupui=
    Local Port: 49443
    Local IP: 10.1.0.55
    User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
    Content Length: 58
    Caller Identity: -
    Certificate Identity (if any): -
    Targeted relying party: -
    Through proxy: False
    Proxy DNS name: -


So for whatever reason that cert gave me a deny, when i turn fiddler off it goes back to what it was doing normally which was nothing.

Author

Commented:
I do see it tunnel to sts.hostname.net:49443 i see the certificate info that is used for the user mapped. in the trace i do see this:

div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

essentially without the cert loaded into fiddler i get:

  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>

so I'm guessing my certificate isnt set up correctly?
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Either that or it's simply the CNAME that's causing issues. Or the fact that it's in Azure as a whole and might be subject to things like SSL offload, stateful packet inspection etc (pretty much what's described in this article, apart from the cname: https://support.microsoft.com/en-us/kb/2461628)

I'll try asking around, but AD FS is covered by another expertise so I dont have direct access to the product group there. I guess you can open a support ticket to get a clear statement on this.
Commented:
So i figured it out. I built another lab fresh install. recreated everything the added the CA. Created a regular user Cert. Created a server cert for the adfs server and it was working. However it wasnt until i created a public cert did some testing and noticed the issue had re occurred. I thougth maybe i generated the csr wrong. I switched back to the server cert i requested from CA and the certificate prompt started working but when i switched it back to the Public Cert the issue reocurred. After about the 3rd Public Cert I recreated I noticed that the Public Cert had one Extra EKU the server didnt have which was Client Authentication. So once more i generated a CSR without the Client Auth. The public Cert still had the Client Auth added as part of the EKU. So I disabled it from the certs properties. Once I did that i was able to authenticate with the user certificate.

ADFSCertFix.png

Author

Commented:
I solved the issue myself

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial