Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates
I had to implement MFA using ADFS 3.0 and internally signed certificates in order to authenticate external users against Office 365 services. There were a few niggles along the way but on the whole it was a relatively easy process to complete. The design brief stated that only domain joined devices from outside the corporate LAN can consume Office 365 services. In addition these users must perform multi-factor authentication when outside the corporate LAN only. I am pretty sure that the design could have been achieved using Azure MFA and a few claim rules in ADFS. However, the customer liked the idea of the relatively simple management and roll out that certificate based MFA provides.
In order to set this up you need the following installed and in production:
- ADFS 3.0 farm
- WAP
- Active Directory Certificate Services
- Web publishing point for your CA revocation lists
- Port TCP 49443 open inbound to your WAP server VIP
Once you have these pre-requisites in place you can start to configure MFA
1. Create a Security Group in Active Directory call it what you like. This is the group that users need to be a member of to auto enroll for user certificates. e.g. AutoEnrollGroup
2. Next create and link a Group Policy to your Users OU called MFA-Cert_Enrol
Edit the Group Policy and make the following changes
User Configuration/Policies/Security Settings/Public Key Policies
Enable Certificate Client Services – Auto Enrollment
Enable Renew and Update settings
3. In the same Group Policy enable Certificate Services Client – Certificate Enrollment Policy
Enable this and Active Directory settings should be automatically populated
Close Group Policy
4. Open your certificate authority and manage certificate templates. Select the USER certificate template and select duplicate template
5. Change the CA type to your oldest CA server OS. For me it was Server 2012
6. On the General Tab give the template a distinguishable name i.e. MFA Certificate and adjust the validity period as required (3 years for me)
7. On the Request Handling tab, deselect the Allow Export of the Private Key
8. Under the Security tab add the group you created in step 1 and assign the Enroll and Auto Enroll permission
9. Under Extensions select Application Policies and remove all except Client Authentication
10. Go back to your CA and on Certificate Templates, right click and choose New Certificate Template to issue
11. Select the Certificate template you created, e.g. MFA Certificate
12. Confirm you can see the certificate available in your CA
13. Assign a test user to the security group you made in step 1 and logon to a machines to check they have a certificate installed in their personal certificate store
If you have then you have done the hard part!
14. On all ADFS Servers make sure you have allowed TCP port 49443 inbound to these servers on your firewall (if you have one)
15. Open the ADFS Management Console and select Authentication Policies and then Edit Multi factor Authentication Policy
16. Select Certification Authority from the Authentication Methods. Note I am not enabling MFA at the global level because there are other Relying Party Trusts I do not want to enable MFA for
17. Select Per Relying Trust Authentication Policies and select Office 365 Identity Platform and then Edith MFA Authentication Policy
18. Under locations select Extranet
19. There should not be a need to configure anything on the WAP servers as these auto publish the ADFS rules within the system. However, ensure port 49443 is not blocked by windows firewall. Also make sure that your external facing firewall NATs 49443 to your WAP servers.
20. Test from External and you should have MFA enabled and working
Troubleshooting
If this fails, check your ADFS Event log. I experienced an error 364 which detailed that the certificate that was used failed its chain validation and that one of the CA certificates was not trusted by the ADFS server. I ensured that the CA and intermediate CA certs where in fact in the correct trusted machine stores but this did not make a difference. In my scenario it turned out that the root CA was offline and the root CA was not in the NTAUTH certificate store on the ADFS servers. To resolve this I exported the root CA cert and then applied it to the ADFS servers using the following command
certutil -enterprise -addstore "NTAuth" rootca.cer
Another issue I came across was when accessing the MFA webpage externally the connection would reset and the page no longer displayed. This turned out to be because the WAP servers had been configured with a publishing rule for ADFS. Adding an additional rule in for https://adfs.domain.com:49443 solved this issue for me.
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale
When using a MS CA I found the WAP server failed auth requests from external clients because it could not check the revocation path on the certs. Certs issued by the MS CA had a CDP revocation path with an LDAP URI and non-domain servers such as the WAP server in the DMZ cannot check the revocation path. I tried to change the revocation path to a HTTP URI but this broke the Root CA and Sub CA operation. The only way I got this to work was to use a standalone OpenSSL Certificate Server and specify CDP HTTP URIs that were reachable by both the WAP and ADFS server.
Hi Steve, how did you get ADFS to trust your Open SSL CA? Did you import the root cert and private key to ADFS? Any other snags setting this up?
Hi Steve,
You don’t need to publish the CRL to AD/LDAP anymore. This used to be done, but it’s best to use HTTP CRL only now – as it’s more firewall friendly. See;
http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
The 2nd article does include for LDAP, but it’s not necessary – we’ve done it without. Have included this link as it’s a great resource.
Chris
Mark, you are using user certificates for MFA. Is there a way to use a machine certificates as well. I would like to make sure, that the user is using a corporate device.