Start using Claims X-Ray with Azure AD

Dusting this thing off to share a quick tip for Single Sign-On work. For a while now I’ve been a proponent of using Claims X-Ray for interrogating/troubleshooting AD FS Claims. The tool is created by the AD FS / Azure AD team, and I have always found it to be a massive help. However, I […]

Creating an InsideCorporateNetwork Claim for AD FS 2.x

AD FS 2012 R2 ships with the InsideCorporateNetwork Claim. It evaluates to “True” when a request is received directly at AD FS, or “False”, if a request is received at the WAP. This Claim doesn’t exist in AD FS 2.0/2.1, and it’s fair to say this is one of the more poorly understood differences in […]

Keeping AD FS Integrated Windows Authentication (IWA/WIA) Clients Signed In

Over the last couple of years we’ve started doing less AD FS work, with the advent of Password Hash Sync for Azure AD sign-on, and Microsoft’s continued investment in Azure AD Premium. We’ve also seen a few organisations struggle to operate AD FS successfully, even if I personally like the technology. So I’ve changed our […]

Creating a broadly compatible, modern SSL certificate with Active Directory Certificate Services

After recently hitting the default two year expiration point with our SharePoint development environment’s AD CS-issued SSL certificates, I set about updating that environment with a new five year template. I took this opportunity to see if I could make it as good as possible without breaking compatibility with anything. I will discuss some of […]

The Rules of AD FS Claims Rules

Many people think of AD FS as merely a federated authentication service. And with a name like Active Directory Federation Services, it’s easy to see why. However, it also has the capacity to make authorisation decisions within its Claims Engine. This may be most familiar as the Office 365 Client Access Policies, but those policies […]

Coordinating AD FS 2012 R2 token lifetimes to reduce logon prompts, enforce revocation and limit session duration over public networks

Back in February, I posted a question on the Geneva forum about Adjusting token lifetimes at the Web Application Proxy (WAP) for external access: Does the Web Application Proxy or AD FS have any separate controls for adjusting token lifetimes to a different value via WAP than directly at AD FS? I can see there’s a session […]