Recovering active ADFS signing keys via Machine DPAPI
🛡️ This post examines how ADFS token-signing private keys persisted in the machine-scoped key store and protected by Machine DPAPI can be recovered by a sufficiently privileged local context. It describes a red team finding where manual certificate rotations with AutoCertificateRollover disabled created configuration drift, leaving active signing keys exposed in Machine DPAPI and enabling forged SAML assertions. The article outlines extraction details, detection guidance, and mitigation measures including HSM use and configuration validation.
