locked
CRM 2015 and WID - WS-Federation Token Replay Attempts\SAML Artefact Resolution RRS feed

  • Question

  • Hello,

     I'm looking at deploying CRM with ADFS, but would like to use WID due to SQL licensing costs. Is CRM 2015 vulnerable to  WS-Federation Token Replay Attempts? In addition, does CRM 2015 use SAML artifact resolution? 

    I'm trying to decide whether these factors are worth the cost of SQL

    Thanks

    Monday, December 7, 2015 3:52 PM

Answers

  • Whilst not definitive, I think it's about as good an answer as I'm likely to get :-)

    I'll leave the ADFS DB with WID

    Thanks

    • Marked as answer by EuroTechie2013 Wednesday, December 9, 2015 9:45 AM
    Wednesday, December 9, 2015 9:45 AM

All replies

  • Hi,

    If you are thinking about using WID as the primary db for crm, it's not an option, for ADFS it is though as seen here https://technet.microsoft.com/en-us/library/ee913581.aspx. As for token replay attempts you have some information here https://technet.microsoft.com/en-us/library/ff630160.aspx. and finally SAML artifacts is discussed here: http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx

    Regards


    Rickard Norström Developer CRM-Konsulterna
    http://www.crmkonsulterna.se
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Tuesday, December 8, 2015 7:20 AM
  • Thanks Rickard, but that doesn't quite answer my question.

    I know WID is perfectly acceptable for an ADFS internal DB, however it doesn't give you:

    1. SAML\WS-Federation Token replay detection
    2. SAML artifact resolution

    My understanding is that token replay detection can stop man in the middle attacks and stops old browser sessions from re-using old authentication tickets. In addition, SAML artifact resolution provides a mechanism whereby the client and application can use an artifact to improve security.

    Having said that, provided you encrypt your ADFS Relying Party Trusts and your application is well written from a security perspective, then the above 2 points should not matter - my question is whether it's a security vulnerability to deploy ADFS using WID when setting up ADFS for CRM 2015?

    Thanks 

    Tuesday, December 8, 2015 8:52 AM
  • ok, I misunderstood your question. I'm no internet expert but as you say token replay isn't used when you use WID instead of SQL but I can't say what that means, sorry about that.

    Regards


    Rickard Norström Developer CRM-Konsulterna
    http://www.crmkonsulterna.se
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Tuesday, December 8, 2015 11:55 AM
  • I'm fairly sure CRM does not use SAML artifact resolution. As to WS-Federation Token replay detection, this is an ADFS feature that is pretty much independent of whichever relying (in this case CRM) uses ADFS. It is possible for a relying party to require WS-Federation Token replay detection, but CRM does not require this

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Tuesday, December 8, 2015 3:41 PM
    Moderator
  • Thanks David, OK, so in your opinion if you use ADFS with WID (and therefore don't have token replay detection enabled), but you encrypt the Relying Party with a sha256 SSL cert,  is the lack of token replay detection a security risk?

    I know, for example, Office 365 isn't susceptible to token replay detection, so using a WID as the ADFS DB would be OK in that case.

    Cheers

    Tuesday, December 8, 2015 4:11 PM
  • I wouldn't treat this answer as definitive, but my understanding is that CRM is unaware of token replay detection, so I would expect that there is a theoretical risk of token replay if using WID as the ADFS DB.

    Whether that is a significant security risk is another matter. My view is that token replay is not a major risk as you need to compromise other areas to make such an attack


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Wednesday, December 9, 2015 9:31 AM
    Moderator
  • Whilst not definitive, I think it's about as good an answer as I'm likely to get :-)

    I'll leave the ADFS DB with WID

    Thanks

    • Marked as answer by EuroTechie2013 Wednesday, December 9, 2015 9:45 AM
    Wednesday, December 9, 2015 9:45 AM