Using ADFS with Azure API Management

Azure API Management is an API gateway that can be used to publish APIs to the Internet. It provides features such as per-developer API keys, request throttling and request authentication. One of the way requests can be authenticated is through standard OAuth2 bearer tokens. I assume that the most common scenario is to use Azure AD to issue those tokens. But if an organisation is not that cloud enabled yet and the users are in an on prem AD, the natural token issuer is to use ADFS. And ADFS on Windows Server 2016 supports OpenID Connect, so it should work, right?

Well, it turns out it didn’t just work. The OpenID Connect implementation in ADFS has some quirks that need to be handled. In the end it worked, but with some limitations.

Regaining Access to Azure VM with Expired Password

Lately I’ve been doing some experiments with Active Directory and of course I’m running my lab environment in Azure. It works great, until after 42 days the password of the one and only user account (mine) in the domain expires. Azure only provides remote desktop access to virtual machines, and in a default setup it’s impossible to change the password over rdp once the password has expired.

In all modern incarnations of remote desktop, the user authentication is done during the connection phase. This is called NLA: Network Level Authentication. It means the user name and password is entered in the Rdp client, as part of the connection setup. Not like in the old days where the remote desktop would show up and present the same user name and password prompt as if one were actually sitting at the physical console. In the old days, the remote server could show a password expired message and force a password reset before the logon was accepted. With NLA, that just doesn’t work. So what we need to do is to disable NLA, without logging on to the remote machine.

Expression Bodied vs. Auto Read-Only Properties

C#6 brought some nice short-hand ways of handling properties. I really like them, because they take away much boilerplate code. But as with all new tools, it’s easy to use them wrongly until they are familiar.

These are two attempts to declare a readonly property that preserves the time stamp of when the object was created. They look similar, but only one of them is right.

class SomeClass
{
  public DateTime CreationTimeA => DateTime.UtcNow;
  public DateTime CreationTimeB { get; } = DateTime.UtcNow;
}

Going Independent

After more than 8 years at Kentor the time as come to move on. I’m leaving Kentor and starting my own business. I will continue to work with identity and access management, especially SAML2 on .NET. I will do consulting, open source development and training, both on site and remotely. The Kentor.AuthServices project will be transferred to my new company, Sustainsys

Kentor.AuthServices 0.21.2 Security Release

Kentor.AuthServices 0.21.2 has just been released to NuGet. It is a security release fixing three issues.

  1. XML External Entity Injection (affecting .NET 4.5 only)
  2. Malicious IdP can cause write to arbitrary file
  3. Flawed ReturnUrl validation leads to Open Redirect

The first two issues were reported by John Heasman, Morgan Roman and Joshua Estalilla from DocuSign. While I have dreaded the day when I would get a security issue I am extremely happy with the professionalism of the disclosure. I got the report privately, including detailed descriptions, reproduction steps and solid recommendations on how to fix it. I am very grateful you took the time to review AuthServices and find the issues and for the detailed reports.

More details on the vulernabilities will be published later.

Software Development is a Job – Coding is a Passion

I'm Anders Abel, an independent systems architect and developer in Stockholm, Sweden.

profile for Anders Abel at Stack Overflow, Q&A for professional and enthusiast programmers

Code for most posts is available on my GitHub account.

Popular Posts

Archives

Series

Powered by WordPress with the Passion for Coding theme.