Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

I had to implement MFA using ADFS 3.0 and internally signed certificates in order to authenticate external users against Office 365 services. There were a few niggles along the way but on the whole it was a relatively easy process to complete. The design brief stated that only domain joined devices from outside the corporate LAN can consume Office 365 services. In addition these users must perform multi-factor authentication when outside the corporate LAN only. I am pretty sure that the design could have been achieved using Azure MFA and a few claim rules in ADFS. However, the customer liked the idea of the relatively simple management and roll out that certificate based MFA provides.

In order to set this up you need the following installed and in production:

  • ADFS 3.0 farm
  • WAP
  • Active Directory Certificate Services
  • Web publishing point for your CA revocation lists
  • Port TCP 49443 open inbound to your WAP server VIP

Once you have these pre-requisites in place you can start to configure MFA

1. Create a Security Group in Active Directory call it what you like. This is the group that users need to be a member of to auto enroll for user certificates. e.g. AutoEnrollGroup

2. Next create and link a Group Policy to your Users OU called MFA-Cert_Enrol

Edit the Group Policy and make the following changes

User Configuration/Policies/Security Settings/Public Key Policies

Enable Certificate Client Services – Auto Enrollment

2015-05-12_09h45_57

 

Enable Renew and Update settings

2015-05-12_09h46_11

3. In the same Group Policy enable Certificate Services Client – Certificate Enrollment Policy

Enable this and Active Directory settings should be automatically populated

2015-05-12_09h46_30

Close Group Policy

4. Open your certificate authority and manage certificate templates. Select the USER certificate template and select duplicate template

2015-05-12_09h39_23

5. Change the CA type to your oldest CA server OS. For me it was Server 2012

2015-05-12_09h40_12

6. On the General Tab give the template a distinguishable name i.e. MFA Certificate and adjust the validity period as required (3 years for me)

2015-05-12_09h40_55

7. On the Request Handling tab, deselect the Allow Export of the Private Key

2015-05-12_09h41_08

8. Under the Security tab add the group you created in step 1 and assign the Enroll and Auto Enroll permission

2015-05-12_09h42_17

 

9. Under Extensions select Application Policies and remove all except Client Authentication

2015-05-12_09h43_05

 

10. Go back to your CA and on Certificate Templates, right click and choose New Certificate Template to issue

2015-05-12_09h44_04

11. Select the Certificate template you created, e.g. MFA Certificate

2015-05-12_09h44_21

12. Confirm you can see the certificate available in your CA

2015-05-12_09h44_34

13. Assign a test user to the security group you made in step 1 and logon to a machines to check they have a certificate installed in their personal certificate store

2015-05-12_09h55_01

If you have then you have done the hard part!

14. On all ADFS Servers make sure you have allowed TCP port 49443 inbound to these servers on your firewall (if you have one)

2015-05-12_09h57_07 2015-05-12_09h57_27

15. Open the ADFS Management Console and select Authentication Policies and then Edit Multi factor Authentication Policy

2015-05-12_09h58_05

16. Select Certification Authority from the Authentication Methods. Note I am not enabling MFA at the global level because there are other Relying Party Trusts I do not want to enable MFA for

2015-05-12_09h58_18

17. Select Per Relying Trust Authentication Policies and select Office 365 Identity Platform and then Edith MFA Authentication Policy

2015-05-12_09h58_51

 

18. Under locations select Extranet

2015-05-12_09h59_04

 

 

19. There should not be a need to configure anything on the WAP servers as these auto publish the ADFS rules within the system. However, ensure port 49443 is not blocked by windows firewall. Also make sure that your external facing firewall NATs 49443 to your WAP servers.

20. Test from External and you should have MFA enabled and working

2015-05-12_09h59_50 2015-05-12_10h00_06 2015-05-12_10h34_13 2015-05-12_10h34_27

Troubleshooting

If this fails, check your ADFS Event log. I experienced an error 364 which detailed that the certificate that was used failed its chain validation and that one of the CA certificates was not trusted by the ADFS server. I ensured that the CA and intermediate CA certs where in fact in the correct trusted machine stores but this did not make a difference. In my scenario it turned out that the root CA was offline and the root CA was not in the NTAUTH certificate store on the ADFS servers. To resolve this I exported the root CA cert and then applied it to the ADFS servers using the following command

certutil -enterprise -addstore "NTAuth" rootca.cer

2015-05-12_10h36_10

 

Another issue I came across was when accessing the MFA webpage externally the connection would reset and the page no longer displayed. This turned out to be because the WAP servers had been configured with a publishing rule for ADFS. Adding an additional rule in for https://adfs.domain.com:49443 solved this issue for me.

One thought on “Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

  1. When using a MS CA I found the WAP server failed auth requests from external clients because it could not check the revocation path on the certs. Certs issued by the MS CA had a CDP revocation path with an LDAP URI and non-domain servers such as the WAP server in the DMZ cannot check the revocation path. I tried to change the revocation path to a HTTP URI but this broke the Root CA and Sub CA operation. The only way I got this to work was to use a standalone OpenSSL Certificate Server and specify CDP HTTP URIs that were reachable by both the WAP and ADFS server.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s