Introduction
Active Directory Federation Services (AD FS) is an installable component of the Microsoft Windows Server operating system. Once configured it provides the facility for single sign-on for credential sharing and access control (federation) between trusted business partners and across multiple business boundaries. This process works via a claims-based authorization process that uses standards-based protocols such as https.
The user’s native organization has the responsibility for authenticating and providing identity information required by a trusted partner, which in turn allows the user to transparently connect to an application hosted by one of the members within the trust boundaries of the federation.
Microsoft AD FS effectively provides and secures a mutually trusted zone encompassing multiple security domains. Integrating Microsoft AD FS with Entrust nShield Hardware Security Modules (HSMs) provides increased robustness and control between these boundaries by securely managing the high value Transport Layer Security (TLS) and Token Signing/Decrypting keys required by AD FS within a FIPS 140 level 3 approved hardware environment.
The key objects that are used by AD FS, via the Microsoft CNG API, are as follows:
| Key Object | Description |
|---|---|
SSL/TLS |
Secures web services traffic for SSL communication with web clients and with federation server proxies. |
Service-Communications |
Used for service communication for Windows Communication Foundation (WCF) Message Security. |
Token-Signing |
Used to digitally sign all security tokens, including signing of published federation metadata and artifact resolution requests. Can have multiple token-signing certificates configured to allow for certificate rollover when one certificate is close to expiring. All the certificates in the list are published, but only the primary token-signing certificate is used by AD FS to sign tokens. |
Token-Decrypting |
Used to decrypt tokens that are received by a federation server. Can have multiple decryption certificates configured to allow for continuous operation after certificate rollover. All certificates can be used for decryption, but only the primary token-decrypting certificate is published in federation metadata. |
Configuring AD FS using nShield HSMs
This document covers the integration using module protection for the AD FS Token keys, with cipher suite DLf3072s256mAEScSP800131Ar1.
Prerequisites
-
An existing Active Directory Domain Services (AD DS) system (domain controller) operating the domain at the Windows Server 2016 Functional Level.
-
An existing Microsoft Active Directory Certification Service (AD CS) system configured as an Enterprise issuing CA (for access to certificate templates).
-
Credentials to update the domain’s DNS service to configure a host entry for AD FS.
-
A Security World has already been created or loaded on the HSM to be used by AD FS. For details on installing and registering the nShield CNG KSP via the installed CNG wizard, see Install and register the CNG provider.
Throughout this guide, sections are prefaced with AD FS Server, AD DS Server, or AD CS Server; make sure you execute the steps in each section on the intended server.
For details on installing and configuring the Active Directory Certificate Authority using nShield HSMs, see the Microsoft AD CS and OCSP Integration Guide for Microsoft Windows Server 2022.
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
| You must create a DNS Value for the AD FS service, as the AD FS service will have a different name from the AD FS host server. |
| If you are deploying AD FS across the internet using Web Application Proxy, you will need a certificate issued by a third party whose Root Certificate is installed on all Computers and devices that will be accessing the service. This guide does not cover deployment using a Web Application Proxy. |
Requirements
Requirements for deploying the Microsoft Windows Server environment to support the AD FS role:
| Component | Minimum Requirement | Recommended Requirement |
|---|---|---|
Memory |
512 MB |
4 GB |
Processor |
1.4 GHz 64-bit processor |
Quad-core, 2 GHz |
Processor Cores |
N/A |
N/A |
Hard Disk |
32 GB |
100 GB |
CD/DVD |
Optional |
|
Network Adapter |
1 |
|
USB Controller |
Optional (if you want to be able to use nShield Remote Administration) |
|
Display |
Standard configuration |
|
Operating System |
Microsoft Windows Server 2016 (64bit) or later |
|
nShield Security World Client Software |
A validated version of the nShield Security World client software (see the Validation Matrix below) |
|
Validation matrix
This Integration Guide provides step-by-step instructions to install and configure Microsoft AD FS for use with nShield HSMs. For our testing purposes, Microsoft Windows Server 2022 was used as the platform for all three requires roles (AD DS, AD CS, and AD FS).
Entrust has successfully tested the integration of AD FS and an nShield HSM using the following configurations:
| Software | Firmware | Net Image | World Mode | World Cipher Suite | Module | Softcard | OCS |
|---|---|---|---|---|---|---|---|
12.60.11 |
12.70.8 vsn31 |
unrest- |
DLf3072s256mAEScSP800131Ar1 |
YES |
NO |
YES1 |
|
12.60.11 |
12.70.8 vsn31 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
NO |
YES1 |
|
12.71 |
12.70.8 vsn31 |
unrest- |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
|
12.71 |
12.70.8 vsn31 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
|
12.80.4 |
12.80.4 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
|
12.80.4 |
12.80.4 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
|
13.2.2 |
13.2.2 |
13.2.2 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
13.6.3 |
13.4.5 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
|
13.6.3 |
13.2.2 |
13.3.2 |
FIPS 140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
YES |
YES2 |
YES2 |
1 In this configuration, the OCS must not have a passphrase.
2 In this configuration, using a Softcard or OCS with passphrase (or with/without passphrase if k>1 requires that you start the AD FS service using the nShield preload tool. For module protected keys or OCS without a passphrase, preload is not necessary. Additionally, In this configuration, only Module Protection is compatible with CAPI Certs.
| The Token-Decrypting Certificate requires a nShield MS CAPI (CSP) provider, for more information see the ADFS and certificate KeySpec property information page: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-and-keyspec-property |
See the following link for more information on nShield cryptographic providers: https://nshielddocs.entrust.com/security-world-docs/v13.6.3/api-cng/intro.html
Supported nShield HSM functionality
| Functionality | Support |
|---|---|
Key Generation |
YES |
Key Management |
YES |
Key Import |
Not tested |
Key Recovery |
Not tested |
1-of-N Operator Card Set |
YES1 |
K-of-N Operator Card Set |
YES2 |
Softcards |
YES3 |
Module-only keys |
YES |
FIPS 140 Level 3 mode support |
YES4 |
Common Criteria mode support |
Not tested |
Load Sharing |
YES |
Failover |
YES |
1 Requires Security World client software v12.71 or later if OCS has a passphrase
2 Requires Security World client software v12.71 or later both with or without OCS passphrase
3 Requires Security World client software v12.71 or later
4 If using Softcard to protect AD FS keys, an OCS is still required as the preload command requires FIPS-auth to load keys