YubiKey Support in ADFS on Windows Server 2019
I’ve been playing around with YubiKeys more or less since they first came on the market, and way back in the old days (2015) I wondered if it was possible to use them in combination with ADFS. And it turned out it was indeed possible.
Since I’ve been more focused on Azure after that I haven’t really done all that much around updating it, (as long as you updated the dll supplied by ADFS you got along more or less), but I decided to bring it up to the current ADFS release and see if things still worked. (For instance TLS support was broken due to using an old .NET version.)
There were a few tweaks required, but I can confirm that I’ve successfully tested it with ADFS 2019 including the Web Application Proxy role in front.
If you want to go straight to the bits and bytes it is of course available on GitHub:
I quite like the paginated SignIn UI in 2019, and another nifty thing is that while originally the YubiKeys could only be used as a second authentication factor you can actually switch it to being primary for what in this case turns out to be a passwordless experience. (Never mind that technically the key is typing in a long one time password for you.)
Let’s do a little walkthrough shall we?
The YubiKeys have to be registered to specific users, and the id stored in a place where ADFS is able to look it up. There are several ways one could do this, but for simplicity I choose a database very likely to be available for ADFS — Active Directory itself.
Using ADSI Edit I entered the id in ExtensionAttribute10 like this:
The easiest way to do it is inserting the Yubikey,have it type in an OTP and then remove the surplus characters (you’ll want the first 12 characters.)
Installing the adapter
Installation of the adapter itself requires compiling the dll and copy it to the ADFS server in a temp folder. You can use the Microsoft.IdentityServer.Web.dll in the repo, but I recommend copying the one found in C:\Windows\ADFS folder to make sure you’re on the correct version.
Run the following Powershell script to install it (assuming files in C:\install\YubiKeyMFAAdapter):
# Install
Set-Location "C:\install"[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish$publish.GacInstall("C:\install\YubiKeyMFAAdapter\YubiKeyMFAAdapter.dll")$fn = ([System.Reflection.Assembly]::LoadFile("C:\install\YubiKeyMFAAdapter\YubiKeyMFAAdapter.dll")).FullName$typeName = "ADFSMFAAdapters.YubiKeyMFAAdapter, " + $fn.ToString() + ", processorArchitecture=MSIL"Register-AdfsAuthenticationProvider -TypeName $typeName -Name "YubiKey MFA Adapter" -ConfigurationFilePath 'C:\install\YubiKeyMFAAdapter\YubiKeyMFAAdapter.json'net stop adfssrv
net start adfssrv
Configure the adapter
In the ADFS console navigate to Authentication Methods and click Edit on the right side.
Check off YubiKey MFA Adapter.
Afterwards the SignIn experience will be something like this:
For testing you can use a “dummy” app by browsing to https://FQDN/adfs/ls/IdpInitiatedSignOn.
More detail on that here:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-initiatedsignon
Uninstalling the adapter
Should you want to remove the adapter, or install a new version, you can run the following Powershell script:
# Uninstall
Unregister-AdfsAuthenticationProvider -Name "YubiKey MFA Adapter"net stop adfssrv
net start adfssrv$publish.GacRemove("C:\install\YubiKeyMFAAdapter\YubiKeyMFAAdapter.dll")
Sure, let’s move into the cloud as soon as possible, but for those times when you find yourself still using ADFS this is a nice touch :)
