Why does Adaxes read the ADFS DKM key and how to prevent it?

Issue

The Active Directory Federation Services (ADFS) master key that decrypts ADFS certificates is stored in Active Directory, in the thumbnailPhoto attribute of a contact object located in the CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com container.

If the service account for your managed domain in Adaxes is a member of Domain Admins, it will have the rights to read the DKM master key. Note that Adaxes will never attempt to access the key on its own.

However, users that have the permissions to view contacts in Adaxes may be able to view the contact object where the DKM key is stored. This is especially true if you haven't modified or disabled the built-in Domain user security role that grants every user the rights to view every object in your directory via Adaxes.

Adaxes will not reveal the DKM key value under any circumstances, even if the user viewing the contact object has service administrator-level permissions. The attempt to view the contact will still trigger a Suspected AD FS DKM key read alert though.

Solution

It is recommended to deny the Read permission to your managed domain service account over the CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com container via native AD access control.

by (600 points)

Please log in or register to answer this question.

Related questions

How can I add a filed in Adaxes Config and make sure it read only ?

I added the Password last set field to the Admin view but when I click on edit it allows the admin user to change the value. Adaxes correclty handel Bad Password time and Bad password ... last set, so I guest there is a way but I can not find it. Thanks you

asked Dec 19, 2019 by tomlaf (60 points)
0 votes
1 answer
Does Adaxes scripting recognize Powershell comments and does it allow for the use of custom modules?

I'm seeing this error when I run a user deprovision. It still executes the script but nobody likes errors! Run PowerShell Script 'DuoDeprovisionExport' For the user. The term ' ... running an export script in the first place for my Duo user info. ) Thanks.

asked Feb 19, 2020 by rainamaina (60 points)
0 votes
1 answer
Why users cannot join computers to a domain in Adaxes if KB5020276 is installed?

If a computer has the KB5020276 Netjoin: Domain join hardening changes Windows update installed, you might encounter the following error message when attempting to join such a ... the primary computer owner (specified in the ManagedBy (Primary) property).

asked Jan 20, 2023 by Adaxes (600 points)
0 votes
0 answers
In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in?

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.2k points)
0 votes
1 answer
How does Adaxes determine account inactivity?

Some Adaxes features calculate how long a user or computer account has been inactive. For example: The If is inactive <period> condition in business rules, scheduled ... the on-premises and cloud accounts, and picks whichever date is the most recent.

asked Sep 23 by Adaxes (600 points)
0 votes
0 answers