Adaxes

Why does Adaxes read the ADFS DKM key and how to prevent it?

0 votes

Issue

The Active Directory Federation Services (ADFS) master key that decrypts ADFS certificates is stored in Active Directory, in the thumbnailPhoto attribute of a contact object located in the CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com container.

If the service account for your managed domain in Adaxes is a member of Domain Admins, it will have the rights to read the DKM master key. Note that Adaxes will never attempt to access the key on its own.

However, users that have the permissions to view contacts in Adaxes may be able to view the contact object where the DKM key is stored. This is especially true if you haven't modified or disabled the built-in Domain user security role that grants every user the rights to view every object in your directory via Adaxes.

Adaxes will not reveal the DKM key value under any circumstances, even if the user viewing the contact object has service administrator-level permissions. The attempt to view the contact will still trigger a Suspected AD FS DKM key read alert though.

Solution

It is recommended to deny the Read permission to your managed domain service account over the CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=com container via native AD access control.

by (580 points)

Please log in or register to answer this question.

Related questions

0 votes
1 answer
How can I add a filed in Adaxes Config and make sure it read only ?

I added the Password last set field to the Admin view but when I click on edit it allows the admin user to change the value. Adaxes correclty handel Bad Password time and Bad password ... last set, so I guest there is a way but I can not find it. Thanks you

asked Dec 19, 2019 by tomlaf (60 points)
0 votes
1 answer
Does Adaxes scripting recognize Powershell comments and does it allow for the use of custom modules?

I'm seeing this error when I run a user deprovision. It still executes the script but nobody likes errors! Run PowerShell Script 'DuoDeprovisionExport' For the user. The term ' ... running an export script in the first place for my Duo user info. ) Thanks.

asked Feb 19, 2020 by rainamaina (60 points)
0 votes
0 answers
Why users cannot join computers to a domain in Adaxes if KB5020276 is installed?

If a computer has the KB5020276 Netjoin: Domain join hardening changes Windows update installed, you might encounter the following error message when attempting to join such a ... the primary computer owner (specified in the ManagedBy (Primary) property).

asked Jan 20, 2023 by Adaxes (580 points)
0 votes
1 answer
In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in?

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.1k points)
0 votes
0 answers
Does Softerra Adaxes extend the Active Directory schema?

Softerra Adaxes does not extend the AD schema. Moreover, Softerra Adaxes does not store its data in Active Directory and doesn't modify the native permissions assigned in ... Adaxes, you can use Active Directory just as you did before the product installation.

asked Jun 17, 2009 by Adaxes (580 points)
3,677 questions
3,361 answers
8,494 comments
549,333 users