Quest to configure an alternative port ADFS 2.0
When I began to customize ADFS, I thought flashed through my head: “when everything works, I will write an article on Habré, you see an invite to perepadet”. But after a few days of fuss, I reached a dead end, I could not solve the problem, and I decided to write this article in the hope that someone more experienced would have solved the problem, or there would be a solution during the discussion. But it was yesterday, in a dream I thought about the problem, and now the article is about how I defeated ADFS.
I will say right away that there is nothing ingenious here (in the decision process I realized that in many matters I “swim”), but nevertheless, I did not find this solution in Google. It all started with the fact that our company decided to implement Lync Online. I will not describe the implementation process, there is already a description. The implementation was successful, but there were a few problems.
The problem was with the certificate on the ADFS server - it was issued by our internal CA. For computers in the domain, this did not cause problems, since the certificate of our CA through group policies is installed in trusted root certification authorities. For computers that were not entered into the domain, the problem was solved by manual addition, which was not very convenient. Also for these computers I had to tune the CA by adding HTTP CDP to the certificate for ADFS. But the problem rose to its full height with mobile devices, since adding a certificate to trusted root certificate authorities is not trivial for them.
It was decided to put the existing certificate from Go Daddy in the name of * .contoso.ru, it was only embarrassing that my domain for trust was corp.contoso.ru, and the name of the ADFS server was fs.corp.contoso.ru, and this certificate was invalid . But it turned out that replacing the certificate and server name is not a problem, after which the server was successfully called fs.contoso.ru, and the problems with the certificate were fixed.
')
Actually, it was the reason for writing this article. In order for ADFS to work outside the corporate network, they decided to implement the ADFS Proxy. For it to work, it is necessary to forward port 443 to the corporate network on the ADFS Proxy server. But 443 ports were in short supply, they are busy with a bunch of services.
And then I remembered that during the implementation process I saw an article somewhere that described how to configure ADFS to an alternate port. Found it , began to customize - does not work. Played with reloads of services, servers, pools, IIS - does not work, shuts up in step 3, AD FS 2.0 Proxy Configuration Wizard cannot connect to the ADFS server and establish trust. I also found such an article, but there are a few wrong alternative ports, the ports between ADFS and ADFSProxy change there, not the ports of the service.
Decided to analyze the packages. It turned out that step 3 of the above link could not be successfully completed, because not looking at the binding site or the Set-ADFSProxyProperties -HttpsPort 444 settings, the wizard stubbornly sends requests to the 443 ADFS server port, and there are no launch keys, no files with configs to tell him where to knock.
Then I decided to work around the problem using http proxy, this option is available in step 3. I installed Application Request Routing in IIS, configured request routing rules (like “all requests to port 1555 are redirected to fs.contoso.ru:444”), I check via browsers - Hurray, everything works! I run the wizard, specify the proxy address, port 1555, run the test - and again the error. I look at requests - wizard sends a request „connect fs.contoso.ru:443“. Clearly, ARR does not support connect tunneling, you need to look for a proxy that supports.
I installed Fiddler on the ADFS server, allowed remote connections in the settings, enabled HTTPS CONNECTS, decrypt capture, added the following lines to the OnBeforeRequest section in the rules:
In this combination, the test passes, the wizard completes successfully, the ADFS web links work outside, the portal portal.microsoftonline.com allows, i.e. our ADFS Proxy earned!
But we did this step 3 of the Microsoft instructions, so now, in the terminology of the book “Gödel, Escher, Bach: this endless festoon” ( from here , thanks to celen !), You need to push out again into this instruction and try to continue the setting. Yes, and I want to get rid of the proxy broker. I perform steps 4 and 6 (it works without step 5), I try the wizard again without specifying the proxy to reconfigure it to work without a proxy, but the result is the same - it sends requests to port 443. Then I just try to remove the proxy settings with the
Thus, using a temporary proxy, I managed to connect the ADFS Proxy to the ADFS and then remove this proxy, both servers work on port 444 (I did not change the http port). This method will be useful for small companies that have a shortage of external ip-addresses, and you want to use office 365. Well, the wish of Microsoft - correct the instructions, something is wrong in it)
I will say right away that there is nothing ingenious here (in the decision process I realized that in many matters I “swim”), but nevertheless, I did not find this solution in Google. It all started with the fact that our company decided to implement Lync Online. I will not describe the implementation process, there is already a description. The implementation was successful, but there were a few problems.
First problem
The problem was with the certificate on the ADFS server - it was issued by our internal CA. For computers in the domain, this did not cause problems, since the certificate of our CA through group policies is installed in trusted root certification authorities. For computers that were not entered into the domain, the problem was solved by manual addition, which was not very convenient. Also for these computers I had to tune the CA by adding HTTP CDP to the certificate for ADFS. But the problem rose to its full height with mobile devices, since adding a certificate to trusted root certificate authorities is not trivial for them.
It was decided to put the existing certificate from Go Daddy in the name of * .contoso.ru, it was only embarrassing that my domain for trust was corp.contoso.ru, and the name of the ADFS server was fs.corp.contoso.ru, and this certificate was invalid . But it turned out that replacing the certificate and server name is not a problem, after which the server was successfully called fs.contoso.ru, and the problems with the certificate were fixed.
')
Second problem
Actually, it was the reason for writing this article. In order for ADFS to work outside the corporate network, they decided to implement the ADFS Proxy. For it to work, it is necessary to forward port 443 to the corporate network on the ADFS Proxy server. But 443 ports were in short supply, they are busy with a bunch of services.
And then I remembered that during the implementation process I saw an article somewhere that described how to configure ADFS to an alternate port. Found it , began to customize - does not work. Played with reloads of services, servers, pools, IIS - does not work, shuts up in step 3, AD FS 2.0 Proxy Configuration Wizard cannot connect to the ADFS server and establish trust. I also found such an article, but there are a few wrong alternative ports, the ports between ADFS and ADFSProxy change there, not the ports of the service.
Battle
Decided to analyze the packages. It turned out that step 3 of the above link could not be successfully completed, because not looking at the binding site or the Set-ADFSProxyProperties -HttpsPort 444 settings, the wizard stubbornly sends requests to the 443 ADFS server port, and there are no launch keys, no files with configs to tell him where to knock.
Then I decided to work around the problem using http proxy, this option is available in step 3. I installed Application Request Routing in IIS, configured request routing rules (like “all requests to port 1555 are redirected to fs.contoso.ru:444”), I check via browsers - Hurray, everything works! I run the wizard, specify the proxy address, port 1555, run the test - and again the error. I look at requests - wizard sends a request „connect fs.contoso.ru:443“. Clearly, ARR does not support connect tunneling, you need to look for a proxy that supports.
I installed Fiddler on the ADFS server, allowed remote connections in the settings, enabled HTTPS CONNECTS, decrypt capture, added the following lines to the OnBeforeRequest section in the rules:
if (oSession.url.toLowerCase() == "fs.contoso.ru:443") oSession.url = "fs.contoso.ru:444" - change the request url (the same„ connect fs.contoso.ru:443 “)if (oSession.host.toLowerCase() == "fs.contoso.ru") oSession.host = "fs.contoso.ru:444" - we redirect requests inside the tunnel to the desired portoSession.utilReplaceInRequest("https://fs.contoso.ru/","https://fs.contoso.ru:444/") - in the request body we change the links to the necessary ones.In this combination, the test passes, the wizard completes successfully, the ADFS web links work outside, the portal portal.microsoftonline.com allows, i.e. our ADFS Proxy earned!
But we did this step 3 of the Microsoft instructions, so now, in the terminology of the book “Gödel, Escher, Bach: this endless festoon” ( from here , thanks to celen !), You need to push out again into this instruction and try to continue the setting. Yes, and I want to get rid of the proxy broker. I perform steps 4 and 6 (it works without step 5), I try the wizard again without specifying the proxy to reconfigure it to work without a proxy, but the result is the same - it sends requests to port 443. Then I just try to remove the proxy settings with the
Set-ADFSProxyProperties -ForwardProxyUrl "" , turn off Fiddler, restart the service, look in the logs and see that the service works successfully without an http proxy, the sites are opened, Lync is connected. The goal is achieved!Summary
Thus, using a temporary proxy, I managed to connect the ADFS Proxy to the ADFS and then remove this proxy, both servers work on port 444 (I did not change the http port). This method will be useful for small companies that have a shortage of external ip-addresses, and you want to use office 365. Well, the wish of Microsoft - correct the instructions, something is wrong in it)
Source: https://habr.com/ru/post/152625/
All Articles