question

parsh4 avatar image
0 Votes"
parsh4 asked piaudonn commented

ADFS Claim Rules

Hello folks! We have a bit of situation. I will try to sum it up. We have a mdm server, and our staff wants our adfs to block other traffics if the request comes through active sync protocol. I have written these rules below, but whenever i activate them and restart adfs service, some random users getting asked their passwords again and again on Outlook client (the small window where outlook asks for your username and password).

 c1:[Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "\b100\.100\.100\.100\b"]
    
 => issue(Type = "http://custom/mdm", Value = "true");

This rule defines the server i was talking about, which has the 100.100.100.100 ip let's say.


 c1:[Type == "http://custom/mdm", Value != "true"] 
    
 && c2:[Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value =~ "Microsoft.Exchange.ActiveSync"]
    
 => issue(Type = "https://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");

Second rule is, if the traffic is not coming from 100.100.100.100 AND protocol is active sync, block the connection. I am not sure about this one.

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5....", Issuer =~ "^AD AUTHORITY$"]
    
 => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");

We also have a exception active directory group, this one works well, no problems.

 c:[]
 => issue(Type = "https://schemas.microsoft.com/authorization/claims/permit", Value = "true");

And lastly permit all other connections rule. I have tried this one with c:[] and without c:[]. I am not sure if i should put it there.
Any ideas? What could be the reason of these Outlook password behaviours?

adfs
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do you happen to hace the logs that comes up on the ADFS server when the attempts are made?If that's linked to the rule it will be clear in the logs.

0 Votes 0 ·

0 Answers