Embed Size (px)
Citation preview
Active Directory Federation Services
Thomas Stensitzki
AD FS | Quick Overview
Page 2
What is AD FS
AD FS Active Directory Federation Services AD FS provides the infrastructure that enables a user to authenticate in one network and
use a secure service or application in another network. Authentication Methods Resources accessed from outside the corporate network
- Forms authentication- Certificate authentication | Smart Card, Soft Certificate
Resources accessed from inside the corporate network- Windows Authentication
Device authentication can provide a secondary authentication method when multi-factor authentication (MFA) is required
Page 3
AD FS Versions
AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2. AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an
installable server role. AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above. AD FS 2.1 was released with Windows Server 2012 as an installable server role. AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not
require a separate IIS install and it includes a new AD FS proxy role called the Web Application Proxy.
AD FS 4.0 released with Windows Server 2016
Page 4
How AD FS works
Security token service (STS) infrastructure- Active Directory Federation Services- Shibboleth Identity Provider- Third-Party Identity Providers
AD FS and AAD Connect - Account synchronization for federated domain users
AAD Connect, Password Sync and AD FS- AAD Connect w/o Password Sync does not store password hashes in Azure AD No failback, if AD FS is not available
- AAD Connect w/ Password Sync synchronizes password hash to Azure AD Convert federated domain to standard, if AD FS is not available
Page 5
Azure AD Federation Compatibility
- Optimal IDM Virtual Identity Server Federation Services
- PingFederate 6.11, 7.2, 8.x- Centrify- IBM Tivoli Federated Identity Manager 6.2.2- SecureAuth IdP 7.2.0- CA SiteMinder 12.52- RadiantOne CFS 3.0- Okta- OneLogin- NetIQ Access Manager 4.0.1- BIG-IP with Access Policy Manager BIG-IP
ver. 11.3x – 11.6x
- VMware Workspace Portal version 2.1- Sign&go 5.3- IceWall Federation Version 3.0- CA Secure Cloud- Dell One Identity Cloud Access Manager v7.1- AuthAnvil Single Sign On 4.5- Sailpoint IdentityNow Active Directory Federation
Services
Page 6
AD FS Planning Considerations (1)
Preparation for end devices and browsers Placement of AD FS servers and proxies Appropriate internal network topologies for farms/proxies Check AD for non-supported characters, and invalid data Preparation of DNS host names records Purchase or issuing of certificates
Page 7
AD FS Planning Considerations (2)
Configuration of firewalls for AD FS-related ports- TCP 443
Selection of appropriate AD FS database technology- Windows Internal Database or SQL Server
Capacity planning to determine required servers, and server specifications- Number users to authenticate, number of relying party trusts
Planning for AD FS High Availability Preparation for multifactor authentication Planning for access filtering using claims rules
Page 8
AD FS Clients
Microsoft Online Services Sign-In Assistant - Office 365 Desktop setup- System Center Configuration Manager- Manual install
Modern Browsers with JScript- Internet Explorer- Mozilla Firefox- Safari
Page 9
ADAL
ADAL = Active Directory Authentication Library ADAL works with OAuth 2.0 to enable more authentication and authorization scenarios Utilizes AD FS Infrastructure Office 2016 clients support modern authentication by default
Link: How modern authentication works for Office 2013 and Office 2016 client apps
Page 10
AD FS Topologies (1)
Stand-alone server versus server farm- Always create a server farm, even with one server
Windows Internal Database (WID) versus SQL Server
Number of Servers
Page 11
1 - 100 Relying Party (RP) Trusts More than 100 RP Trusts
1 - 30 AD FS Nodes WID Supported WID not supported - SQL Required
More than 30 AD FS Nodes WID not supported - SQL Required WID not supported - SQL Required
Number of users Minimum number of servers (Source: Microsoft)
< 1.000 0 dedicated federation server, can co-locate on DC0 dedicated federation server proxy, can co-locate on web server
1.000 – 15.000 2 dedicated federation servers2 dedicated federation server proxies
15.000 – 60.000 3 – 5 dedicated federation serversMin 2 dedicated federation server proxies
AD FS Topologies (2)
AD FS Proxies- Not mandatory but recommended for extranet/internet users
Server Placement- AD FS servers are domain joined are located in the internal network- AD FS proxy servers should not be domain joined and are located in the perimeter network
fs.contoso.com172.16.1.3
wap1.contoso.com192.0.2.1
wap2.contoso.com192.0.2.2
AD FS ProxiesPerimeter Network
fs.contoso.com192.0.2.3
fs2.lan.contoso.com172.16.1.2
Federation Server FarmInternal Network
fs1.lan.contoso.com172.16.1.1
fs.contoso.comPUBLIC IP
Internal Users ExternalUsers
AD FS Requirements (1)
Active Directory- Domain controllers running Windows Server 2008 or later- Windows Server 2016 domain controller for Microsoft Passport- Account domain and AD FS server domain must be operating at DFL Windows Server 2003- User account client certificate authentication requires DFL Windows Server 2008- Check on-premises Active Directory for UPN domain- Remediate UPN for invalid characters
DNS and namespaces- Namespace planning, e.g. sts, fs or adfs - All clients must be able to resolve either internal or external AD FS service name- Windows Integrated authentication requires a DNS A record, not a CNAME record
Page 13
AD FS Requirements (2)
Certificates- Same SSL certificate for AD FS and Web Application proxies- Common name of the certificate should match the service name- User certificate authentication requires certauth.[federation service name] as SAN- Device registration or modern authentication for pre-Windows 10 clients requires enterpriseregistration.[UPN suffix]
as SAN]
Network- Firewall policy to allow HTTPS on TCP 443- Client user certificate authentication requires TCP 49443 to Web Application proxy, if certauth on 443 is not enabled
Database- Windows Internal Database- SQL Server 2008 or higher
Page 14
AD FS Capacity Planning
AD FS Capacity Planning Sizing Spreadsheet:- Number of users requiring SSO access- Number of users sending authentication requests (peak)- Duration of peak usage period- Geo redundancy information- AD FS Proxy information
Link: AD FS 2016 Capacity Planning Spreadsheet
Page 15
High Availability for AD FS
Why HA is essential- Federated sources are not accessible when AD FS fails or is not reachable
Load Balancing- Use a simple Load Balancing solution
Protecting SQL Server- SQL Cluster - SQL failover partner
Office 365 Adapter for Windows Azure Virtual Machines- White paper: Office 365 Adapter - Deploying Office 365 single sign-on using Azure Virtual Machines
https://technet.microsoft.com/en-us/library/dn509539.aspx - Deployment scenarios for Office 365 with single sign-on and Azure
https://technet.microsoft.com/en-us/library/dn509537.aspx
Page 16
High Availability for AD FS – Azure for Disaster Recovery
Page 17
Inte
rnal
Net
work
Pe
rimet
er
VP
N T
unne
l
AD DS
1x
AADConnect
1x
AD FS
1x
AD FSProxy
2x
AD DS
AD FS
AADConnect
AD FS
AD FSProxy
AD FSProxy
High Availability for AD FS – Azure Only
Page 18
Inte
rnal
Net
work
Pe
rimet
er
VP
N T
unne
l
AD DS
1x
AADConnect
1x
AD FS
1x
AD FSProxy
2x
AD DS
Best Practices for AD FS
Plan for AD FS proxy servers Avoid having federation servers directly accessible on the Internet Prepare DNS
- Split DNS requires proper DNS zone maintenance
Networking, firewall, and security design Ensure certificates export includes private key
Page 19
Page 20
Die Fragen
Thomas Stensitzki
ExpertGranikos GmbH & Co. KG
MCSM Messaging, MCM: Exchange 2010MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M
E-Mail: [email protected] Web: http://www.Granikos.eu Blog: http://blog.Granikos.eu Blog: http://JustCantGetEnough.Granikos.eu
