Share via

Local LAN IP - ADFS Headers

Kelly Sparks 121 Reputation points
2022-03-21T12:52:27.213+00:00

We have users that login through ADFS from WAP PRoxy and also directly from the LAN.
Clearly when a user logs in through WAP, the Nework headers show the end user client IP:

X-MS-Forwarded-Client-IP = 77.174.143.66<br>,X-MS-ADFS-Proxy-Client-IP = 77.174.143.66<br>,client-request-id = 964ad453-4c39-43c5-93e2-e3855467265a<br>,X-MS-Proxy = WAP-2019<br>,X-MS-Endpoint-Absolute-Path = /adfs/ls/<br>,

But when the user logs into ADFS from the local LAN, the Local LAN IP is nowhere to be found in the network header request or response.
I would like to be able to see/pull the local LAN IP of the user for a security application.

Anyone have any idea where the local LAN IP is saved? Clearly ADFS must know it, or it could not reply back to the user.

Microsoft Security | Active Directory Federation Services
0 comments
Accepted answer
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-03-25T17:21:47.883+00:00

    The first link shows the following information about the IdentityClaims: 

        /// Returns an array indicating the type of claim that the adapter uses to identify the user being authenticated.  
    /// Note that although the property is an array, only the first element is currently used.  
    /// MUST BE ONE OF THE FOLLOWING  
    /// "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"  
    /// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"  
    /// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"  
    /// "https://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"  
    public string[] IdentityClaims  
    {  
        get { return new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" }; }  
    }

    So here you need the stuff to identify who the user is.

    Regarding the network data, you get a an System.Net.HttpListenerRequest in the BeginAuthentication method of IAuthenticationAdapter. From there, you must be able to get the client IP: https://learn.microsoft.com/en-us/dotnet/api/system.net.httplistenerrequest.remoteendpoint?view=netframework-4.7#system-net-httplistenerrequest-remoteendpoint
    This will show the actual IP of the client if the connexion is made to the ADFS server directly, or the IP address of the WAP if that's coming from the WAP. But you already get the gist of it for getting other headers. Note that's always the case for regular clients/browsers. Unless they are going through a proxy, the HTTP header will not contain the client IP (that's at the discretion of the user agent to send headers). So your question could be addressed in a broader context, not specific to AD FS. Since that this is not a developper focused #ADFS tag. We do the best we can to provide support :( But at the end of the day, you might want to use a .Net focused community.

    Also, you can actually find Tino's examples on his archived blog here: https://learn.microsoft.com/en-us/archive/blogs/cloudpfe/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-1 on the top of the link already provided. Are they are plenty of open source MFA adapter to look at in GitHub if you are interrested to look at more complex solutions.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TinoDonderwinkel-3216 81 Reputation points
    2022-03-23T19:55:57.563+00:00

    Hi,

    When you're building an AD FS MFA Adapter yourself, you will see that the method that actually performs the authentication, the BeginAuthentication method, has a parameter of type HttpListenerRequest. This parameter might have the information you are looking for as per documentation system.net.httplistenerrequest

    I have a basic MFA Adapter implementation available here: adfsmfaadapter

    Hope that helps!

    1 person found this answer helpful.
  2. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-03-23T00:28:46.123+00:00

    The source IP address in the datagram is the source IP in the case of intranet signins.

  3. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2022-03-23T02:15:22.287+00:00

    Is that a generic question about .Net programming (AD FS heavily leverages the .Net framework)? I am no dev, but I guess AD FS get the IP address from the request received by the http listener. But this is not the ideal tag (AD FS) to have a proper answer to that question. Now if you are trying to do some AD FS specific things, maybe we can help :)

    Are you building an MFA provider? If so the IP is in a claim available in the pipeline accessible through the IAuthenticationAdapter adapter https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method.

    Or are you building a risk assessment plug in? If so the client IP is also available through an existing interface: IPostAuthenticationThreatDetectionModule. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-risk-assessment-model

  4. Kelly Sparks 121 Reputation points
    2022-03-25T09:49:17.557+00:00

    After spending a week on this, we are giving up. From what we can see, MSFT left out the IP discovery in ADFS because all the IP claims are null.

    We are now working to implement our own encrypted Local LAN IP pinger website to get the client IP.

    This is a real pain, but knowing the client IP is vital to our adapter.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.