Active Directory Federation Services

Thomas Stensitzki
 AD FS | Quick Overview

Page 2
What is AD FS

AD FS Active Directory Federation Services

AD FS provides the infrastructure that enables a user to authenticate in one network and
use a secure service or application in another network
Authentication Methods
- Resources accessed from outside the corporate network
- Forms authentication
- Certificate authentication | Smart Card, Soft Certificate
- Resources accessed from inside the corporate network
- Windows Authentication

Device authentication can provide a secondary authentication method when multi-factor

authentication (MFA) is required

Page 3
AD FS Versions

AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.
AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an
installable server role.
AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.
AD FS 2.1 was released with Windows Server 2012 as an installable server role.
AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not
require a separate IIS install and it includes a new AD FS proxy role called the Web
Application Proxy.
AD FS 4.0 released with Windows Server 2016

Page 4
How AD FS works

Security token service (STS) infrastructure

- Active Directory Federation Services
- Shibboleth Identity Provider
- Third-Party Identity Providers

AD FS and AAD Connect

- Account synchronization for federated domain users

AAD Connect, Password Sync and AD FS

- AAD Connect w/o Password Sync does not store password hashes in Azure AD
No failback, if AD FS is not available
- AAD Connect w/ Password Sync synchronizes password hash to Azure AD
Convert federated domain to standard, if AD FS is not available

Page 5
Azure AD Federation Compatibility

- Optimal IDM Virtual Identity Server Federation - VMware Workspace Portal version 2.1
Services - Sign&go 5.3
- PingFederate 6.11, 7.2, 8.x - IceWall Federation Version 3.0
- Centrify - CA Secure Cloud
- IBM Tivoli Federated Identity Manager 6.2.2 - Dell One Identity Cloud Access Manager v7.1
- SecureAuth IdP 7.2.0 - AuthAnvil Single Sign On 4.5
- CA SiteMinder 12.52 - Sailpoint IdentityNow Active Directory Federation
- RadiantOne CFS 3.0 Services
- Okta
- OneLogin
- NetIQ Access Manager 4.0.1
- BIG-IP with Access Policy Manager BIG-IP
ver. 11.3x 11.6x

Page 6
AD FS Planning Considerations (1)

Preparation for end devices and browsers

Placement of AD FS servers and proxies
Appropriate internal network topologies for farms/proxies
Check AD for non-supported characters, and invalid data
Preparation of DNS host names records
Purchase or issuing of certificates

Page 7
AD FS Planning Considerations (2)

Configuration of firewalls for AD FS-related ports

- TCP 443

Selection of appropriate AD FS database technology

- Windows Internal Database or SQL Server

Capacity planning to determine required servers, and server specifications

- Number users to authenticate, number of relying party trusts

Planning for AD FS High Availability

Preparation for multifactor authentication
Planning for access filtering using claims rules

Page 8
AD FS Clients

Microsoft Online Services Sign-In Assistant

- Office 365 Desktop setup
- System Center Configuration Manager
- Manual install

Modern Browsers with JScript

- Internet Explorer
- Mozilla Firefox
- Safari

Page 9
ADAL

ADAL Active Directory Authentication Library

ADAL works with OAuth 2.0 to enable more authentication and authorization scenarios
Utilizes AD FS Infrastructure
Office 2016 clients support modern authentication by default

Link: How modern authentication works for Office 2013 and Office 2016 client apps

Page 10
AD FS Topologies (1)

Stand-alone server versus server farm

- Always create a server farm, even with one server

Windows Internal Database (WID) versus SQL Server

1 - 100 Relying Party (RP) Trusts More than 100 RP Trusts
1 - 30 AD FS Nodes WID Supported WID not supported - SQL Required

More than 30 AD FS Nodes WID not supported - SQL Required WID not supported - SQL Required

Number of Servers
Number of users Minimum number of servers (Source: Microsoft)

< 1.000 0 dedicated federation server, can co-locate on DC

0 dedicated federation server proxy, can co-locate on web server
1.000 15.000 2 dedicated federation servers
2 dedicated federation server proxies
15.000 60.000 3 5 dedicated federation servers
Page 11 Min 2 dedicated federation server proxies
AD FS Topologies (2)

AD FS Proxies
- Not mandatory but recommended for extranet/internet users

Server Placement
- AD FS servers are domain joined are located in the internal network
- AD FS proxy servers should not be domain joined and are located in the perimeter network

fs1.lan.contoso.com fs.contoso.com wap1.contoso.com fs.contoso.com fs.contoso.com

172.16.1.1 172.16.1.3 192.0.2.1 192.0.2.3 PUBLIC IP

fs2.lan.contoso.com wap2.contoso.com
172.16.1.2 192.0.2.2

Internal Users ExternalUsers

Federation Server Farm AD FS Proxies
Internal Network Perimeter Network
AD FS Requirements (1)

Active Directory
- Domain controllers running Windows Server 2008 or later
- Windows Server 2016 domain controller for Microsoft Passport
- Account domain and AD FS server domain must be operating at DFL Windows Server 2003
- User account client certificate authentication requires DFL Windows Server 2008
- Check on-premises Active Directory for UPN domain
- Remediate UPN for invalid characters

DNS and namespaces

- Namespace planning, e.g. sts, fs or adfs
- All clients must be able to resolve either internal or external AD FS service name
- Windows Integrated authentication requires a DNS A record, not a CNAME record

Page 13
AD FS Requirements (2)

Certificates
- Same SSL certificate for AD FS and Web Application proxies
- Common name of the certificate should match the service name
- User certificate authentication requires certauth.[federation service name] as SAN
- Device registration or modern authentication for pre-Windows 10 clients requires enterpriseregistration.[UPN suffix]
as SAN]

Network
- Firewall policy to allow HTTPS on TCP 443
- Client user certificate authentication requires TCP 49443 to Web Application proxy, if certauth on 443 is not enabled

Database
- Windows Internal Database
- SQL Server 2008 or higher

Page 14
AD FS Capacity Planning

AD FS Capacity Planning Sizing Spreadsheet:

- Number of users requiring SSO access
- Number of users sending authentication requests (peak)
- Duration of peak usage period
- Geo redundancy information
- AD FS Proxy information

Link: AD FS 2016 Capacity Planning Spreadsheet

Page 15
High Availability for AD FS

Why HA is essential
- Federated sources are not accessible when AD FS fails or is not reachable

Load Balancing
- Use a simple Load Balancing solution

Protecting SQL Server

- SQL Cluster
- SQL failover partner

Office 365 Adapter for Windows Azure Virtual Machines

- White paper: Office 365 Adapter - Deploying Office 365 single sign-on using Azure Virtual Machines
https://technet.microsoft.com/en-us/library/dn509539.aspx
- Deployment scenarios for Office 365 with single sign-on and Azure
https://technet.microsoft.com/en-us/library/dn509537.aspx

Page 16
High Availability for AD FS Azure for Disaster Recovery

AD DS AAD AD FS AD FS
Connect Proxy
1x 1x 1x 2x

VPN Tunnel
AD FS
Proxy
AD FS
AD FS Proxy

AD DS AD FS

AAD
Connect

Page 17
High Availability for AD FS Azure Only

AD DS AAD AD FS AD FS
Connect Proxy
1x 1x 1x 2x

VPN Tunnel

AD DS

Page 18
Best Practices for AD FS

Plan for AD FS proxy servers

Avoid having federation servers directly accessible on the Internet
Prepare DNS
- Split DNS requires proper DNS zone maintenance

Networking, firewall, and security design

Ensure certificates export includes private key

Page 19
Questions

Thomas Stensitzki
Expert
Granikos GmbH & Co. KG
MCSM Messaging, MCM: Exchange 2010
MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M

E-Mail: thomas.stensitzki@granikos.eu
Web: http://www.Granikos.eu
Blog: http://blog.Granikos.eu
Blog: http://JustCantGetEnough.Granikos.eu

Page 20