Académique Documents
Professionnel Documents
Culture Documents
Thomas Stensitzki
AD FS | Quick Overview
Page 2
What is AD FS
Page 3
AD FS Versions
AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.
AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an
installable server role.
AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.
AD FS 2.1 was released with Windows Server 2012 as an installable server role.
AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not
require a separate IIS install and it includes a new AD FS proxy role called the Web
Application Proxy.
AD FS 4.0 released with Windows Server 2016
Page 4
How AD FS works
Page 5
Azure AD Federation Compatibility
- Optimal IDM Virtual Identity Server Federation - VMware Workspace Portal version 2.1
Services - Sign&go 5.3
- PingFederate 6.11, 7.2, 8.x - IceWall Federation Version 3.0
- Centrify - CA Secure Cloud
- IBM Tivoli Federated Identity Manager 6.2.2 - Dell One Identity Cloud Access Manager v7.1
- SecureAuth IdP 7.2.0 - AuthAnvil Single Sign On 4.5
- CA SiteMinder 12.52 - Sailpoint IdentityNow Active Directory Federation
- RadiantOne CFS 3.0 Services
- Okta
- OneLogin
- NetIQ Access Manager 4.0.1
- BIG-IP with Access Policy Manager BIG-IP
ver. 11.3x 11.6x
Page 6
AD FS Planning Considerations (1)
Page 7
AD FS Planning Considerations (2)
Page 8
AD FS Clients
Page 9
ADAL
Link: How modern authentication works for Office 2013 and Office 2016 client apps
Page 10
AD FS Topologies (1)
More than 30 AD FS Nodes WID not supported - SQL Required WID not supported - SQL Required
Number of Servers
Number of users Minimum number of servers (Source: Microsoft)
AD FS Proxies
- Not mandatory but recommended for extranet/internet users
Server Placement
- AD FS servers are domain joined are located in the internal network
- AD FS proxy servers should not be domain joined and are located in the perimeter network
fs2.lan.contoso.com wap2.contoso.com
172.16.1.2 192.0.2.2
Active Directory
- Domain controllers running Windows Server 2008 or later
- Windows Server 2016 domain controller for Microsoft Passport
- Account domain and AD FS server domain must be operating at DFL Windows Server 2003
- User account client certificate authentication requires DFL Windows Server 2008
- Check on-premises Active Directory for UPN domain
- Remediate UPN for invalid characters
Page 13
AD FS Requirements (2)
Certificates
- Same SSL certificate for AD FS and Web Application proxies
- Common name of the certificate should match the service name
- User certificate authentication requires certauth.[federation service name] as SAN
- Device registration or modern authentication for pre-Windows 10 clients requires enterpriseregistration.[UPN suffix]
as SAN]
Network
- Firewall policy to allow HTTPS on TCP 443
- Client user certificate authentication requires TCP 49443 to Web Application proxy, if certauth on 443 is not enabled
Database
- Windows Internal Database
- SQL Server 2008 or higher
Page 14
AD FS Capacity Planning
Page 15
High Availability for AD FS
Why HA is essential
- Federated sources are not accessible when AD FS fails or is not reachable
Load Balancing
- Use a simple Load Balancing solution
Page 16
High Availability for AD FS Azure for Disaster Recovery
AD DS AAD AD FS AD FS
Connect Proxy
1x 1x 1x 2x
VPN Tunnel
AD FS
Proxy
AD FS
AD FS Proxy
AD DS AD FS
AAD
Connect
Page 17
High Availability for AD FS Azure Only
AD DS AAD AD FS AD FS
Connect Proxy
1x 1x 1x 2x
VPN Tunnel
AD DS
Page 18
Best Practices for AD FS
Page 19
Questions
Thomas Stensitzki
Expert
Granikos GmbH & Co. KG
MCSM Messaging, MCM: Exchange 2010
MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M
E-Mail: thomas.stensitzki@granikos.eu
Web: http://www.Granikos.eu
Blog: http://blog.Granikos.eu
Blog: http://JustCantGetEnough.Granikos.eu
Page 20