In general the documentation I find on TechNet is fairly spot on. Usually you will need to adapt it to your environment, but the information is correct. Then there are times when the technology changes in some way, and the documentation falls behind. Recently while trying to configure ADFS claim rules for a client I ran into the latter. Here’s what is wrong with the article and how you can work around it.
The article in question is this one regarding the third scenario, where you are trying to restrict external client access to browser-based applications only. Before we jump into the errors in the document, first we have to talk a little bit about the seconario.
IP addresses related to Exchange Online infrastructure will not be present in the list.
And that is blatantly not true. Here are the caller identity fields as seen in the Security logs for ADFS audit.
://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
10.xxx.xxx.32,132.245.34.180
://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
10.xxx.xxx.32
://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
132.245.34.180
I’ve scrubbed the external IP addresses that belong to me. But that 132.245.34.180 address belongs to Microsoft. So yes, it IS in the x-ms-forwarded-client-ip values. Additionally, ADFS splits out those values into separate claims. Why does this matter? Because Microsoft wants you to use this claim rule to filter out requests that aren’t coming from your internal network:
c1:[Type == “://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”,
Value == “false”] &&
c2:[Type == “://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”,
Value =~ “^(?!192.168.1.77|10.83.118.23)”]
=> issue(Type = “://custom/ipoutsiderange”,
Value = “true”);
In the c2 part of the claim, the regular expression looks for x-ms-forwarded-client-ip values that do not contain your custom range. And this claim will evaluate as true every time, because your custom range will not include the Microsoft datacenter IP addresses. Even if you are on your internal network, you Outlook client will not be able to authenticate because the ADFS claim will be denied.
What should you use instead of the above claim rule? Glad you asked. Try this one instead:
c1:[Type == “://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”,
Value == “false”] &&
c2:[Type == “://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”,
Value =~ “^(b192.168.1.77|10.83.118.23b)”]
=> issue(Type = “://custom/ipinrange”, Value = “true”);
c1:[Type == “://custom/ipinrange”, Value != “true”] &&
c2:[Type == “://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value != “/adfs/ls/”]
=> issue(Type = “://schemas.microsoft.com/authorization/claims/deny”, Value = “DenyUsersWithClaim”);
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.