RDWeb SSO with PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This document will guide you through the steps to enable federation and multifactor authentication for Microsoft RDWeb.

System Requirements

PhenixID Authentication Server 2.0 or higher
Microsoft RDWeb installed and configured
Identity Foundation 3.5/4.0 (on RDWeb server)
Identity Foundation SDK 4.0 (on RDWeb server)
Claims to Windows token service enabled (on RDWeb server)
Microsoft ADFS installed (can be same machine as RDWeb or other machine)

Instruction

Overview

This document will guide you through the steps to enable federation and multifactor authentication for Microsoft RDWeb.

This will be done by using the services mentioned above.

PhenixID Server acting as SAML IdP

Setup PhenixID Authentication Services as a SAML IdP, see ex. SAML Identity Provider
Then export your SAML IdP metadata by going to the URL:

https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta

and download the metadata to a xml file.

Configure ADFS with Claimsprovider and rules

We will add a claimsprovider by adding the SAML metadata. Two rules will be configured for the claimsprovider.

Start AD FS Management
Click Trust Relationships/Claims Provider Trusts
Right click and choose "Add Claims Provider Trust…"
Choose a method to import your metadata
Display name, just click next
Click next until close
Claim rules, add rule…
Template, "Pass Through or Filter an Incoming Claim"
Set a rule name
"Incoming claim type" = Name ID
"Incoming named ID format" = Unspecified
Finish

Export metadata from ADFS/Import metadata to IdP

Open a web browser and go to the URL:

https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml
Save data to file (in the example below named adfs_demo_FederationMetadata.xml)
This metadata will now be imported to PhenxID Server acting as IdP
Put the file in /resources
Restart the service
Now go to PhenixID Configuration portal and login
Go to tab Configuration
Verify the file has been imported under Resources
Go to SAML 2 meta loading

Add entity id data as id and resource should be set to the metadata exported file name, example:

{
  "id": "http://adfs.demo.phenixid.net/adfs/services/trust",
  "resource": "adfs_demo_FederationMetadata.xml"
}

Then press stage/commit changes

Depending on your configuration, on the AssertionProvider valve (in Pipes section), change the sourceID and audienceRestriction parameters to match the imported metadata id, example:

{
  "name": "AssertionProvider",
  "config": {
    "targetEntityID": "PhenixID_IdP_RDWEB_DEMO",
    "nameIDAttribute": "userPrincipalName",
    "sourceID": "http://adfs.demo.phenixid.net/adfs/services/trust",
    "misc": {
      "excludeSubjectNotBefore": "true"
    },
    "audienceRestriction": "http://adfs.demo.phenixid.net/adfs/services/trust"
  }
}

Then press stage/commit changes
Test login to ADFS (will not go all the way):

https://adfs.demo.phenixid.net/adfs/ls/idpinitiatedsignon
Open properties for claims provider created earlier, go to Advanced and change the "Secure hash algorithm" to SHA-1

RDWeb server configuration

On the RDWeb server the following services needs to be installed:

Windows Identity Foundation 3.5/4.0
Windows Identity Foundation SDK 4.0

Open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
Add <add value="IIS APPPOOL\RDWebAccess" /> to the section <allowedCallers>
Save and close the file
Open a command prompt window and enter sc config c2wts depend= CryptSvc
Open "Services" on the MS RDWeb server
Start the service "Claims to Windows token service"
Make sure that "Claims to Windows token service" is set to automatic and that Cryptographic Service is listed in the dependencies tab.
Run C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\fedutil.exe
Point to the RDWeb application web.config file. Enter the RDWeb web application URI, for example:

https://adfs.demo.phenixid.net/RDWeb/Pages/
Select "Use an existing STS". Enter the federation metadata url to the ADFS server.

https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml
Set certificate chain validation according to your environment
Se encryption according to your environment
Press next and then Finish
We need to change a setting in the RD Web Access Application Pool, so open the IIS Manager,

select Application Pools, right-click the RDWebAccess pool, and then Advanced Settings. Set "Load User Profile" to "True"
Make a copy of C:\Windows\Web\RDWeb\Pages\web.config
Open C:\Windows\Web\RDWeb\Pages\web.config

If not already present, add the following to the section <configuration>:

<configSections>
   <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

In the section <system.web> add the following lines:

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />

In the section <system.web> verify the following settings:

<authorization><deny users= "?" /></authorization>
<authentication mode= "None" />

Make sure thet the start of the <modules> is set like this:
```
<modules runAllManagedModulesForAllRequests="true">
```

In the <modules> section remove the following line (if present):

<add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />

In the <modules> section make sure that these lines are present:

<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />

In the section microsoft.identityModel->service, add the following:

<securityTokenHandlers>
   <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <sessionTokenRequirement useWindowsTokenService="true" />
   </add>
   <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
   </add>
</securityTokenHandlers>

Enable UPN, under microsoft.identityModel -> service -> applicationService -> claimTypeRequired, unmark this line:
```
<!–<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />–>
```
Save the file
Run iisreset

Trust between ADFS and RDWeb

Go to ADFS 2.0 Management
Click "Relying party trust"
"Add Relying Party Trust
Choose a method to import your metadata
Enter display name
Do NOT Configure MFA
Permit all users to access this relying party
Press next and then close
Add the following to Rules:
- Transform an incoming claim, enter rule name, Incoming claim type=Name ID, Incomin name ID format=Unspecified, Outgoing claim type=UPN, Outgoing name ID format=Unspecified
- Pass Through or Filter an Incoming Claim, enter rule name, Incoming claim type=UPN, Incomin name ID format=Unspecified
Then press Finish

Example, Idp pipe in PhenixID Server

{
  "id": "pipeunpwrdweb_demo",
  "valves": [
    {
      "name": "LDAPSearchValve",
      "config": {
        "connection_ref": "MyAD",
        "base_dn": "DC=demo,DC=phenixid,DC=net",
        "scope": "SUB",
        "size_limit": "0",
        "filter_template": "(&(objectclass=*)(sAMAccountName={{request.username}}))",
        "attributes": "userPrincipalName"
      }
    },
    {
      "name": "LDAPBindValve",
      "config": {
        "connection_ref": "MyAD",
        "password_param_name": "password",
        "skip_if_expr": "request.authenticatedrequest==’true'"
      }
    },
    {
      "name": "AssertionProvider",
      "config": {
        "targetEntityID": "PhenixID_IdP_RDWEB_DEMO",
        "nameIDAttribute": "userPrincipalName",
        "sourceID": "http://adfs.demo.phenixid.net/adfs/services/trust",
        "misc": {
          "excludeSubjectNotBefore": "true"
        },
        "audienceRestriction": "http://adfs.demo.phenixid.net/adfs/services/trust"
      }
    }
  ]
}

Test

Browse to https://<rd_web_server>/RDWeb/Pages/
This should result in a redirect to ADFS server
Select organization on ADFS server

(This step can be removed by configuration, https://authenticationfactor.wordpress.com/2014/06/18/adfs-3-0-playing-with-authentication/ -> Force specific Claims Provider(s) per relying party)
This should result in a redirect to PhenixID Authentication Server
Authenticate
If authentication was successful, a redirect to ADFS should occur (with SAML assertion)
A redirect to RDWeb should occur

Troubleshooting tips

Verify trust between ADFS and PhenixID Authentication Services

Browse to https://<adfs_server>/adfs/ls/idpinitiatedsignon.aspx
Click Sign in
Select organization
This should result in a redirect to PhenixID Authentication Server
Authenticate
If authentication was successful, a redirect to ADFS should occur (with SAML assertion)
ADFS should present "You are signed in"

The file web.config

There are some changes being made to the file web.config.

If there is something wrong in the file, a 500 message will be dislayed.

Table of Contents