Service Principals and CRL checking - azure-active-directory

Does a Service Principal (SP) check the CRL for the cert that is used to authenticate the SP?
I have a client that is concerned over the use of SP with Certificates for authentication and wants to understand what happens if the certificate used for authentication is revoked.

Service Principal checks the "Certificate Revocation List" (CRL). To revoke a client certificate, Azure Active Directory fetches the certificate revocation list (CRL) from the URLs uploaded as part of certificate authority information and caches it. The last publish timestamp in the CRL is used to ensure the CRL is still valid. The CRL is periodically referenced to revoke access to certificates that are a part of the list.
To configure the certificate in Service principal, you can create certificate locally and go to the manifest of Service Principal and update the KeyCredential part like below:
Below is the documentation link for configuring revocation:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started#step-3-configure-revocation
I hope it helps.

Related

Active Directory SSL certificate

I already setup wifi AD authorization. When users connect, they see an error that the certificate is self-signed and not trusted. I bought a signed SSL, but I don't know how to feed it to AD.
thanks in advance
i tried replacing the certificate but they are not the same at all

Azure AD: getting Invalid X509 certificate chain when Unbind with itfoxtec

I am using Azure AD as ADFS and I get response from it in the ACS route, however I am getting:
AuthenticationException: Invalid X509 certificate chain. Certificate name:'CN=accounts.accesscontrol.windows.net' and thumbprint:'9CEA376******251D1F'. Chain Status:'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.'..
When running: binding.Unbind(httpRequest, saml2AuthnResponse);
Note that same Saml2Configuration was done in the request and in the response.
any idea what could be the problem?
For the chain to validate successfully. The certificates root certificate has to be installed on the machine as a trusted root certificate. This is not possible in e.g. a Azure App Service.
The check kan be disabled by configuring "CertificateValidationMode": "None" in appsettings.json.
Sample code: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/appsettings.json#L19

azure ad ldapsearch invalid credentials

I am unable to do secure ldap search, to an azure ad instance
requirement: do ldapsearch over internet using ldaps protocol, and get info from Azure ad
my setup
azure in eval mode - domain name is the default option presented during creation, eg devopoutlook.onmicrosoft.com
created azure ad domain service - domain here is of the format xyz.abc.com (not a routable DNS)
Secure LDAP enabled with self signed certificate
added rules for incoming ldaps requests, noted down the public ip
created a user account, added to global administrator / AAD DC Administrators
reset the user's password - verified login works through portal.azure.com
when i attempt a ldapsearch to the public ip from my computer i see the below error
LDAPTLS_REQCERT=never ldapsearch -x -D "userx#devopoutlook.onmicrosoft.com" -W -H ldaps://x.x.x.x:636 -b "dc=devopoutlook,dc=onmicrosoft,dc=com"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
packet capture shows an encrypted alert from client to server, after client handshake is done, hence i dont think its a cert related issue, i am unable to figure out if its a password issue, i am sure the password is correct
the user account is a cloud only account, so password hash sync should have happened after password reset (i have reset multiple times)
I have also done the same experiment with a onprem ad user, synced via AD connect. that gives the same error
Are there any steps i am missing, or am i expecting something that wouldn't work, please help
LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
On Workaround try with these
1) As you mentioned you using the Cloud only account
Cloud only account on an AAD tenant, you need to change the password on the account on the cloud account and wait ~30 minutes or so for the password to replicate before you can bind on AAD DS. change the password for that user before you can authenticate with LDAP. That is because AAD will not create the password hashes (it needs for NTLM and Kerberos authentication for LDAP) automatically for cloud-only users - but it creates them the next time the password is changed.
This topic is covered in the following article: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
2) The DN name for the user should be similar to how they are named in local Active directory
For example if I have named my AAD domain services instance domain as contoso.com , then the Domain container values for DN attribute would correspond to that just as in Local AD . Generally all the synced users to AAD domain services go to the container "AADDC Users" within Domain services instance so for a user in domain services it will be
CN=<firstName lastName>,OU=AADDC Users,DC=Contoso,DC=com
For more details refer this document:
3) Above error Returns when username is valid but password/credential is invalid.
Please verify that your given password is correct or not.
Reference:
For more details refer this document: Tutorial - Configure LDAPS for Azure Active Directory Domain Services | Microsoft Docs
deleting the AADDS and redeploying as user forest did the trick from what i understand, resource forest => there is no sync of user id between AAD and AADDS

Role error while configuring saml signing certificate for robin powered

Error : Your role does not have the permissions required to manage signing certificates.
How to fix this?
Previously I was able to setup up signle signon for multiple applications but I didnt receive any error related signing certificate but robin powered is not allowing
To configure certificate you should be a member of One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Setting up Azure AD Connect

I'm trying to install the preview of Azure AD Connect:
https://connect.microsoft.com/site1164/program8612
During the setup, you can configure the sign-in method for users, synchronization or a federation with ADFS. I want to use ADFS, and I want the setup to configure a new ADFS farm. The setup wants a SSL certificate, so I've made a self-signed certificate and exported it as a .PFX file. However, the setup won't accept the certificate, it states "The certificate is invalid or corrupted. Please try another certificate"
I selected another certificate which I've used for a website, and I get the same result. The certificate chain is OK, I've tried to install the certificate, but no matter what, the setup keeps rejecting the certificate. I can't find any further info in the eventlog or setup log file, and since the Azure AD connect software is quite new and still in preview, there's not much info on the web regarding the installation.
Any ideas on how to make this work?
It is mandatory for AD FS to use a third-party signed certificate. If you don't want to pay for a certificate, you can use one from wosign which is free and publicly trusted (as an intermediate certification authority from VeriSign or similar I think).

Resources