question

MikeYabar-0853 avatar image
0 Votes"
MikeYabar-0853 asked MarcelPalme-8257 answered

ADFS 4 and SharePoint 2016 with non-claims-aware applications ISSUES

We have successfully deployed ADFS v4 + WAP (on-prem Windows server 2016) and we are publishing SharePoint 2016, Skype for Business and also using ADFS as an IDP to access a quite few cloud based applications with SAML.

Now, in order to have SharePoint 2016 working properly, we have published it as "non-claims-aware" and it is using Kerberos-Windows integrated authentication instead and we have NO issues.

You probably are aware that if we publish SharePoint as a "Claims-aware" we will encounter issues with people picker, searches, etc. that don't work properly and in order to address some of these issues we need to deploy third party claims provider app: LDAPCP and MS clearly states "LDAPCP isn't a Microsoft product and isn't supported by Microsoft Support" -https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/implement-saml-based-authentication-in-sharepoint-server. So, this configuration was a No go for our production environment.

Moving forward to 2021, we need enhance security in our ADFS deployment so we are looking for different ways to protect our ADFS+WAP environment and so far the only way we found and it is published on MS site as well, is that we can replace the WAP role for 2 third party solutions:
- F5 BigAP (APM+LTM) or
- Citrix ADC (premium license), both solutions will add load balancing, WAF, etc. .

So far, this is looking great! BUT, here is our huge headache: Which of these 2 applications has still the option to keep using "non-claims-aware\Kerberos authentication" to publish applications???? or Does MS has another way/workaround to add all these security features (WAF, ddos protection, LB, etc.). into an ADFS+WAP farm.

Thanks and I look forward to hearing from you.

adfs
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

no comments, anyone?

0 Votes 0 ·

I can't comment on the features offered by the two third party products you mentioned.

For the rest, as you pointed out, if you publish SP as a claim-aware app, then the people picker is affected. It is more a question for the SP folks and the article you pointed to explains how to workaround it or use a third party plugin for it.

WAP offers a throttling protection out of the box. So in case of DoS, the WAP will be protecting the SP farm. It also offer a protection against password based attacks (extranet smart lockout policy). And you can extend the capabilities of ADFS with 2019 Risk Assessment Model plugin as described in here:
- https://github.com/Microsoft/adfs-sample-RiskAssessmentModel-RiskyIPBlock
- https://github.com/microsoft/adfs-sample-block-user-on-adfs-marked-risky-by-AzureAD-IdentityProtection

Load balancing should ideally be achieved with hardware load balancers, although you could leverage some cloud services for it too.



0 Votes 0 ·

You might also want to take a look there:
- Tutorial: Azure Active Directory single sign-on integration with SharePoint on-premise https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial

0 Votes 0 ·

Be careful when using Sharepoint and non claims aware. As I unfortunately had to find out, Microsoft has implemented a large security vulnerability here. With this vulnerability it is possible to take on someone else's identity. The fix from microsoft is a joke ... it only reduces the time window in which I can take advantage of it. Unfortunately it seems that this vulnerability will not be fixed. Unfortunately, Microsoft only refers to the Azure AD proxy here

https://support.microsoft.com/en-us/topic/hotfix-enables-ad-fs-token-replay-protection-for-web-application-proxy-authentication-tokens-in-windows-server-2012-r2-fab71cea-6454-f6a8-e61c-2c1ffa672cfb

0 Votes 0 ·
MarcelPalme-8257 avatar image
0 Votes"
MarcelPalme-8257 answered

yes that's the way i use adfs based on server 2019 myself

Marcel

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeYabar-0853 avatar image
0 Votes"
MikeYabar-0853 answered

Hi MarcelPalme-8257,

Thanks for the update and are you aware if this vulnerability is present on Windows server 2016 or 2019? that KB refers to W2012 R2 only.

Mike

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeYabar-0853 avatar image
0 Votes"
MikeYabar-0853 answered

Thanks for the reply Piaudonn!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.