ADFS Test

Active Directory Federation Services (AD FS) runs on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication.

Where AD FS is used, administrators need to promptly detect authentication failures and quickly troubleshoot such failures, so that users are not denied access to critical systems/applications for far too long. At the same time, administrators should also pay attention to the type of authentication requests that AD FS processes, their status (success or failure) notwithstanding. For instance, a sudden and significant spike in password change requests or U/P (username/password) authentication requests should be viewed suspiciously, regardless of the success/failure of the requests. This is because, malicious virus attacks / hacking attempts often disguise themselves as such requests.

Using the ADFS test, administrators can be promptly notified of failed / suspect authentication attempts. This test monitors the authentication requests serviced by AD FS, and promptly alerts administrators to authentication failures as and when they occur. In the process, the test sheds light on the type of authentication requests that failed often - device authentication requests? extranet U/P requests? U/P requests? federated authentication requests? OAuth requests? SSO authentication requests? The test also turns administrator attention to suspicious activities such as sudden spikes in password change requests or U/P authentication requests, thus allowing administrators enough time to dig deep and figure out if such requests are genuine or not.

Target of the test : An AD FS server

Agent deploying the test : An internal agent.

Outputs of the test : One set of results for the AD FS server being monitored

Configurable parameters for the test
Parameters	Description
Test Period	How often should the test be executed.
Host	The host for which the test is to be configured.
Port	The default port is NULL.

Measurements made by the test
Measurement	Description	Measurement Unit	Interpretation
Additional authentications	Indicates the number of times additional authentications are triggered.	Number	You can also configure and enable Microsoft and third-party authentication methods in AD FS in Windows Server 2012 R2. Once installed and registered with AD FS, you can enforce MFA as part of the global or per-relying-party authentication policy.
Artifact resolution requests	Indicates the number of successful RP tokens issued over SAML artifact resolution.	Reads/Sec	SAML artifact resolution is where the relying party (i.e. your ADFS presenting your shared application) retrieves a token from a claims provider (i.e. another company's ADFS) on behalf of the client (i.e. the other company's user). A SAML message is transmitted from one entity to another either by value or by reference. A reference to a SAML message is called an artifact. The receiver of an artifact resolves the reference by sending a request directly to the issuer of the artifact, who then responds with the actual message referenced by the artifact.
Certificate authentications	Indicates the number of successful AD Certificate authentications.	Number
Device authentication failures	Indicates the number of failed device authentications.	Number	Ideally, the value of this measure should be 0 or very low.
Device authentications	Indicates the umber of successful device authentications.	Number
External authentication failures	Indicates the number of failed authentications from external MFA providers.	Number	Ideally, the value of this measure should be 0 or very low.
External authentications	Indicates the number of successful authentications from external MFA providers.	Number
External account lockouts	Indicates the number of extranet U/P requests rejected due to account lockout.	Number	AD FS provides a security feature called Extranet Lockout. With this feature, AD FS will "stop" authenticating the "malicious" user account from outside for a period of time. In AD FS on Windows Server 2012 R2, we introduced a security feature called Extranet Lockout. With this feature, AD FS will "stop" authenticating the "malicious" user account from outside for a period of time. Extranet lockout provides the following key advantages: It protects your user accounts from brute force attacks where an attacker tries to guess a user's password by continuously sending authentication requests. In this case, AD FS will lock out the malicious user account for extranet access It protects your user accounts from malicious account lockout where an attacker wants to lock out a user account by sending authentication requests with wrong passwords. In this case, although the user account will be locked out by AD FS for extranet access, the actual user account in AD is not locked out and the user can still access corporate resources within the organization. This is known as a soft lockout. If this measure reports a non-zero value, it could be an early indicator of suspicious login attempts.
Federated authentication failures	Indicates the number of failed federated authentications from partner providers.	Number	Ideally, the value of this measure should be 0 or very low.
Federated authentications	Indicates the number of successful federated authentications from partner. providers.	Number
Federation metadata requests	Indicates the number of Federation Metadata requests.	Number	Federation Metadata contains information about your federation service that is used to create trusts, identify token-signing certificates, and many other things.
OAuth authorization requests	Indicates the number of incoming requests to the OAuth Authorization endpoint.	Number	This is a good indicator of the OAuth request load on the AD FS server.
OAuth token requests	Indicates the number of successful RP tokens issued over OAuth protocol.	Number
Passive requests	Indicates the number of incoming web requests for all passive protocols and web functionality.	Number
Password change failed requests	Indicates the number of failed password change requests from the intranet.	Number	An abnormally high value for this measure may require an investigation, as it could indicate many unsuccessful attempts at hacking a system/application.
Password change successful requests	Indicates the number of successful password change requests from the intranet.	Number	If this measure reports an abnormally high value, you may want to scrutinize the requests to figure out if they were authentic or requests made with malicious intent.
SAML-P token requests	Indicates the number of successful RP tokens issued over SAML-P protocol.	Number
SSO authentication failures	Indicates the number of failed SSO authentications.	Number	Ideally, the value of this measure should be 0 or very low.
SSO authentications	Indicates the number of successful SSO authentications.	Number
Token requests	Indicates the number of successful RP tokens issued across all protocols.	Number
U/P authentication failures	Indicates the number of failed AD U/P authentications.	Number	U/P stands for username/password. As By closely monitoring the variations to the value of this measure over time, you can swoop down on password discovery attacks.
U/P authentications	Indicates the number of successful AD U/P authentications.	Number	If this measure reports an abnormally high value, you may want to scrutinize the requests to figure out if they were authentic or requests made with malicious intent.
Windows integrated authentications	Indicates the number of successful AD Windows Integrated authentications.	Number	Windows Integrated Authentication (WIA) is used for authentication requests that occur within the organization's internal network (intranet) for any application that uses a browser for its authentication.
WS-Fed token requests	Indicates the number of successful RP tokens issued over WS-Fed protocol.	Number	WS-Fed is a sign-in protocol, which in plain English means that when the application you’re trying to gain access to redirects you to the ADFS server, it has to be done in specific way (WS-Fed) for the process to continue. Web Services Federation (WS-Federation or WS-Fed) is part of the larger WS-Security framework and an extension to the functionality of WS-Trust. The features of WS-Federation can be used directly by SOAP applications and web services. WS-Fed is a protocol that can be used to negotiate the issuance of a token. You can use this protocol for your applications (such as a Windows Identity Foundation-based app) and for identity providers (such as Active Directory Federation Services or Azure AppFabric Access Control Service).
WS-Trust token requests	Indicates the number of successful RP tokens issued over WS-Trust protocol.	Number	The Web Services Trust Language [WSTrust] is available in AD FS to accommodate SOAP-based applications. WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure message exchange.