AD FS Workshop | Part 1 | Quick Overview

Granikos GmbH & Co. KG
Granikos GmbH & Co. KGGranikos GmbH & Co. KG
Active Directory Federation Services Thomas Stensitzki
AD FS | Quick Overview Page  2
What is AD FS  AD FS  Active Directory Federation Services  AD FS provides the infrastructure that enables a user to authenticate in one network and use a secure service or application in another network  Authentication Methods - Resources accessed from outside the corporate network - Forms authentication - Certificate authentication | Smart Card, Soft Certificate - Resources accessed from inside the corporate network - Windows Authentication  Device authentication can provide a secondary authentication method when multi-factor authentication (MFA) is required Page  3
AD FS Versions  AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.  AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an installable server role.  AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.  AD FS 2.1 was released with Windows Server 2012 as an installable server role.  AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not require a separate IIS install and it includes a new AD FS proxy role called the Web Application Proxy.  AD FS 4.0 released with Windows Server 2016 Page  4
How AD FS works  Security token service (STS) infrastructure - Active Directory Federation Services - Shibboleth Identity Provider - Third-Party Identity Providers  AD FS and AAD Connect - Account synchronization for federated domain users  AAD Connect, Password Sync and AD FS - AAD Connect w/o Password Sync does not store password hashes in Azure AD  No failback, if AD FS is not available - AAD Connect w/ Password Sync synchronizes password hash to Azure AD  Convert federated domain to standard, if AD FS is not available Page  5
Azure AD Federation Compatibility - Optimal IDM Virtual Identity Server Federation Services - PingFederate 6.11, 7.2, 8.x - Centrify - IBM Tivoli Federated Identity Manager 6.2.2 - SecureAuth IdP 7.2.0 - CA SiteMinder 12.52 - RadiantOne CFS 3.0 - Okta - OneLogin - NetIQ Access Manager 4.0.1 - BIG-IP with Access Policy Manager BIG-IP ver. 11.3x – 11.6x - VMware Workspace Portal version 2.1 - Sign&go 5.3 - IceWall Federation Version 3.0 - CA Secure Cloud - Dell One Identity Cloud Access Manager v7.1 - AuthAnvil Single Sign On 4.5 - Sailpoint IdentityNow Active Directory Federation Services Page  6
AD FS Planning Considerations (1)  Preparation for end devices and browsers  Placement of AD FS servers and proxies  Appropriate internal network topologies for farms/proxies  Check AD for non-supported characters, and invalid data  Preparation of DNS host names records  Purchase or issuing of certificates Page  7
AD FS Planning Considerations (2)  Configuration of firewalls for AD FS-related ports - TCP 443  Selection of appropriate AD FS database technology - Windows Internal Database or SQL Server  Capacity planning to determine required servers, and server specifications - Number users to authenticate, number of relying party trusts  Planning for AD FS High Availability  Preparation for multifactor authentication  Planning for access filtering using claims rules Page  8
AD FS Clients  Microsoft Online Services Sign-In Assistant - Office 365 Desktop setup - System Center Configuration Manager - Manual install  Modern Browsers with JScript - Internet Explorer - Mozilla Firefox - Safari Page  9
ADAL  ADAL  Active Directory Authentication Library  ADAL works with OAuth 2.0 to enable more authentication and authorization scenarios  Utilizes AD FS Infrastructure  Office 2016 clients support modern authentication by default Link: How modern authentication works for Office 2013 and Office 2016 client apps Page  10
AD FS Topologies (1)  Stand-alone server versus server farm - Always create a server farm, even with one server  Windows Internal Database (WID) versus SQL Server  Number of Servers Page  11 1 - 100 Relying Party (RP) Trusts More than 100 RP Trusts 1 - 30 AD FS Nodes WID Supported WID not supported - SQL Required More than 30 AD FS Nodes WID not supported - SQL Required WID not supported - SQL Required Number of users Minimum number of servers (Source: Microsoft) < 1.000 0 dedicated federation server, can co-locate on DC 0 dedicated federation server proxy, can co-locate on web server 1.000 – 15.000 2 dedicated federation servers 2 dedicated federation server proxies 15.000 – 60.000 3 – 5 dedicated federation servers Min 2 dedicated federation server proxies
AD FS Topologies (2)  AD FS Proxies - Not mandatory but recommended for extranet/internet users  Server Placement - AD FS servers are domain joined are located in the internal network - AD FS proxy servers should not be domain joined and are located in the perimeter network fs.contoso.com 172.16.1.3 wap1.contoso.com 192.0.2.1 wap2.contoso.com 192.0.2.2 AD FS Proxies Perimeter Network fs.contoso.com 192.0.2.3 fs2.lan.contoso.com 172.16.1.2 Federation Server Farm Internal Network fs1.lan.contoso.com 172.16.1.1 fs.contoso.com PUBLIC IP Internal Users ExternalUsers
AD FS Requirements (1)  Active Directory - Domain controllers running Windows Server 2008 or later - Windows Server 2016 domain controller for Microsoft Passport - Account domain and AD FS server domain must be operating at DFL Windows Server 2003 - User account client certificate authentication requires DFL Windows Server 2008 - Check on-premises Active Directory for UPN domain - Remediate UPN for invalid characters  DNS and namespaces - Namespace planning, e.g. sts, fs or adfs - All clients must be able to resolve either internal or external AD FS service name - Windows Integrated authentication requires a DNS A record, not a CNAME record Page  13
AD FS Requirements (2)  Certificates - Same SSL certificate for AD FS and Web Application proxies - Common name of the certificate should match the service name - User certificate authentication requires certauth.[federation service name] as SAN - Device registration or modern authentication for pre-Windows 10 clients requires enterpriseregistration.[UPN suffix] as SAN]  Network - Firewall policy to allow HTTPS on TCP 443 - Client user certificate authentication requires TCP 49443 to Web Application proxy, if certauth on 443 is not enabled  Database - Windows Internal Database - SQL Server 2008 or higher Page  14
AD FS Capacity Planning  AD FS Capacity Planning Sizing Spreadsheet: - Number of users requiring SSO access - Number of users sending authentication requests (peak) - Duration of peak usage period - Geo redundancy information - AD FS Proxy information Link: AD FS 2016 Capacity Planning Spreadsheet Page  15
High Availability for AD FS  Why HA is essential - Federated sources are not accessible when AD FS fails or is not reachable  Load Balancing - Use a simple Load Balancing solution  Protecting SQL Server - SQL Cluster - SQL failover partner  Office 365 Adapter for Windows Azure Virtual Machines - White paper: Office 365 Adapter - Deploying Office 365 single sign-on using Azure Virtual Machines https://technet.microsoft.com/en-us/library/dn509539.aspx - Deployment scenarios for Office 365 with single sign-on and Azure https://technet.microsoft.com/en-us/library/dn509537.aspx Page  16
High Availability for AD FS – Azure for Disaster Recovery Page  17 VPNTunnel AD DS 1x AAD Connect 1x AD FS 1x AD FS Proxy 2x AD DS AD FS AAD Connect AD FS AD FS Proxy AD FS Proxy
High Availability for AD FS – Azure Only Page  18 VPNTunnel AD DS 1x AAD Connect 1x AD FS 1x AD FS Proxy 2x AD DS
Best Practices for AD FS  Plan for AD FS proxy servers  Avoid having federation servers directly accessible on the Internet  Prepare DNS - Split DNS requires proper DNS zone maintenance  Networking, firewall, and security design  Ensure certificates export includes private key Page  19
Page  20 Questions Thomas Stensitzki Expert Granikos GmbH & Co. KG MCSM Messaging, MCM: Exchange 2010 MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M E-Mail: thomas.stensitzki@granikos.eu Web: http://www.Granikos.eu Blog: http://blog.Granikos.eu Blog: http://JustCantGetEnough.Granikos.eu
1 of 20

AD FS Workshop | Part 1 | Quick Overview

Download to read offline
Technology

This slidedeck provides a quick overview about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.

Granikos GmbH & Co. KG
Granikos GmbH & Co. KGGranikos GmbH & Co. KG

Recommended

Adfs azure by
Adfs azureAdfs azure
Adfs azureJethro Seghers
862 views34 slides
Office 365-single-sign-on-with-adfs by
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
5.4K views35 slides
Directory Synchronization Single Sign-On in Office 365 by
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365InnoTech
2.4K views24 slides
Adfs Shib Interop Um Oxford by
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguestd9aa5
962 views14 slides
Web Center Services and Framework by
Web Center Services and FrameworkWeb Center Services and Framework
Web Center Services and FrameworkJaime Cid
1.7K views48 slides
O365-AzureAD Identity management by
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity managementDavid Pechon
285 views37 slides

More Related Content

What's hot

OFM AIA FP Implementation View and Case Study by
OFM AIA FP Implementation View and Case StudyOFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case StudySreenivasa Setty
1.8K views41 slides
Troubleshooting Federation, ADFS, and More by
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Microsoft TechNet - Belgium and Luxembourg
10.1K views27 slides
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365 by
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365Microsoft TechNet - Belgium and Luxembourg
7.2K views34 slides
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO by
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
861 views36 slides
How to deploy SharePoint 2010 to external users? by
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
18.7K views58 slides
SOA - From Webservices to APIs by
SOA - From Webservices to APIsSOA - From Webservices to APIs
SOA - From Webservices to APIsHolger Reinhardt
602 views18 slides

What's hot(20)

OFM AIA FP Implementation View and Case Study by Sreenivasa Setty
OFM AIA FP Implementation View and Case StudyOFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case Study
Sreenivasa Setty1.8K views
Troubleshooting Federation, ADFS, and More by Microsoft TechNet - Belgium and Luxembourg
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More
Microsoft TechNet - Belgium and Luxembourg10.1K views
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365 by Microsoft TechNet - Belgium and Luxembourg
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
Microsoft TechNet - Belgium and Luxembourg7.2K views
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO by Peter Selch Dahl
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Peter Selch Dahl861 views
How to deploy SharePoint 2010 to external users? by rlsoft
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
rlsoft18.7K views
SOA - From Webservices to APIs by Holger Reinhardt
SOA - From Webservices to APIsSOA - From Webservices to APIs
SOA - From Webservices to APIs
Holger Reinhardt602 views
ibm websphere admin training | websphere admin course | ibm websphere adminis... by Nancy Thomas
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...
Nancy Thomas486 views
DataPower Restful API Security by Jagadish Vemugunta
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
Jagadish Vemugunta7K views
IdP, SAML, OAuth by Dan Brinkmann
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann14.2K views
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec... by Brian Culver
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver9.3K views
24 Hours Of Exchange Server 2007 ( Part 16 Of 24) by Harold Wong
24 Hours Of Exchange Server 2007 ( Part 16 Of 24)24 Hours Of Exchange Server 2007 ( Part 16 Of 24)
24 Hours Of Exchange Server 2007 ( Part 16 Of 24)
Harold Wong564 views
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros by Dan Usher
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT ProsSharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
Dan Usher2.5K views
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna? by Tobias Koprowski
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
Tobias Koprowski418 views
Download It by webhostingguy
Download ItDownload It
Download It
webhostingguy873 views
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On by Peter Selch Dahl
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
Peter Selch Dahl2.3K views
Syn framework 4.0 and sql server by Eduardo Castro
Syn framework 4.0 and sql serverSyn framework 4.0 and sql server
Syn framework 4.0 and sql server
Eduardo Castro1.8K views
Windows Server 2008 for Developers - Part 1 by ukdpe
Windows Server 2008 for Developers - Part 1Windows Server 2008 for Developers - Part 1
Windows Server 2008 for Developers - Part 1
ukdpe626 views
Microservices and Self-contained System to Scale Agile by Eberhard Wolff
Microservices and Self-contained System to Scale AgileMicroservices and Self-contained System to Scale Agile
Microservices and Self-contained System to Scale Agile
Eberhard Wolff1.9K views
Intorduction to Datapower by Shilpin Pvt. Ltd.
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
Shilpin Pvt. Ltd.18.6K views
Enter The Matrix Securing Azure’s Assets by BizTalk360
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
BizTalk3601.8K views

Viewers also liked

12 Tips & Tricks from Social Marketing Experts by
12 Tips & Tricks from Social Marketing Experts12 Tips & Tricks from Social Marketing Experts
12 Tips & Tricks from Social Marketing ExpertsOfferpop
12.1K views13 slides
Ad fs by
Ad fsAd fs
Ad fsIván Sanchez Vera
2K views49 slides
Office 365 Migrationsstrategien by
Office 365 MigrationsstrategienOffice 365 Migrationsstrategien
Office 365 MigrationsstrategienThomas Stensitzki
1.1K views39 slides
Windows Azure Active Directory by
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
1.6K views12 slides
Lean Usability Testing by
Lean Usability TestingLean Usability Testing
Lean Usability TestingVincent Baskerville
1.7K views30 slides
Mobilis in mobile by
Mobilis in mobileMobilis in mobile
Mobilis in mobileAndrea Resmini
1.6K views75 slides

Viewers also liked(19)

12 Tips & Tricks from Social Marketing Experts by Offerpop
12 Tips & Tricks from Social Marketing Experts12 Tips & Tricks from Social Marketing Experts
12 Tips & Tricks from Social Marketing Experts
Offerpop12.1K views
Ad fs by Iván Sanchez Vera
Ad fsAd fs
Ad fs
Iván Sanchez Vera2K views
Office 365 Migrationsstrategien by Thomas Stensitzki
Office 365 MigrationsstrategienOffice 365 Migrationsstrategien
Office 365 Migrationsstrategien
Thomas Stensitzki1.1K views
Windows Azure Active Directory by Pavel Revenkov
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov1.6K views
Lean Usability Testing by Vincent Baskerville
Lean Usability TestingLean Usability Testing
Lean Usability Testing
Vincent Baskerville1.7K views
Mobilis in mobile by Andrea Resmini
Mobilis in mobileMobilis in mobile
Mobilis in mobile
Andrea Resmini1.6K views
Stanford CS193P - Designing for iPad by Evan Doll
Stanford CS193P - Designing for iPadStanford CS193P - Designing for iPad
Stanford CS193P - Designing for iPad
Evan Doll46.2K views
UADIGITALS 2017 Lead9 always on! by Elena Peday
UADIGITALS 2017 Lead9 always on!UADIGITALS 2017 Lead9 always on!
UADIGITALS 2017 Lead9 always on!
Elena Peday130 views
Finnish technology industry, March 2017 by TechFinland
Finnish technology industry, March 2017Finnish technology industry, March 2017
Finnish technology industry, March 2017
TechFinland419 views
Acc 304 week 9 quiz – strayer new by ninfaames
Acc 304 week 9 quiz – strayer newAcc 304 week 9 quiz – strayer new
Acc 304 week 9 quiz – strayer new
ninfaames333 views
Características TIC by Maesanpa profestic
Características TICCaracterísticas TIC
Características TIC
Maesanpa profestic146 views
1 s2.0-s0016003213003104-main by Ramalakshmi Vijay
1 s2.0-s0016003213003104-main1 s2.0-s0016003213003104-main
1 s2.0-s0016003213003104-main
Ramalakshmi Vijay244 views
The Who, What, Why and How of Active Directory Federation Services (AD FS) by Jay Simcox
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox1.9K views
Mitos sociedad información by Roooma182212
Mitos sociedad informaciónMitos sociedad información
Mitos sociedad información
Roooma182212165 views
Phases of clinical trials by Vharshini Manoharan
Phases of clinical trialsPhases of clinical trials
Phases of clinical trials
Vharshini Manoharan111.4K views
157 Mobile App Stats You Should Know About by Stuart Dredge
157 Mobile App Stats You Should Know About157 Mobile App Stats You Should Know About
157 Mobile App Stats You Should Know About
Stuart Dredge20.8K views
Teatros accesibles. subtitulado y audiodescripción. by José María
Teatros accesibles. subtitulado y audiodescripción.Teatros accesibles. subtitulado y audiodescripción.
Teatros accesibles. subtitulado y audiodescripción.
José María685 views
Everything old is new again by yiibu
Everything old is new againEverything old is new again
Everything old is new again
yiibu82.3K views
Design for Many Devices by jahoni
Design for Many DevicesDesign for Many Devices
Design for Many Devices
jahoni1.8K views

Similar to AD FS Workshop | Part 1 | Quick Overview

Single Sign On using ADFS.pptx by
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
132 views44 slides
Windows server 2012_r2_ by
Windows server 2012_r2_ Windows server 2012_r2_
Windows server 2012_r2_ Hello_World_2016
200 views14 slides
SharePoint 2013 Platform Options - office 365, Azure, On premise by
SharePoint 2013 Platform Options - office 365, Azure, On premiseSharePoint 2013 Platform Options - office 365, Azure, On premise
SharePoint 2013 Platform Options - office 365, Azure, On premiseDavid J Rosenthal
2.1K views1 slide
Análisis de riesgos en Azure y protección de la información by
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónPlain Concepts
510 views49 slides
Azure Virtual Desktop Overview.pptx by
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxceyhan1
2.4K views53 slides
SharePoint in the Extranet Joel Oleson by
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Olesonwebhostingguy
487 views35 slides

Similar to AD FS Workshop | Part 1 | Quick Overview(20)

Single Sign On using ADFS.pptx by Alireza Vafi
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
Alireza Vafi132 views
Windows server 2012_r2_ by Hello_World_2016
Windows server 2012_r2_ Windows server 2012_r2_
Windows server 2012_r2_
Hello_World_2016200 views
SharePoint 2013 Platform Options - office 365, Azure, On premise by David J Rosenthal
SharePoint 2013 Platform Options - office 365, Azure, On premiseSharePoint 2013 Platform Options - office 365, Azure, On premise
SharePoint 2013 Platform Options - office 365, Azure, On premise
David J Rosenthal2.1K views
Análisis de riesgos en Azure y protección de la información by Plain Concepts
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
Plain Concepts510 views
Azure Virtual Desktop Overview.pptx by ceyhan1
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptx
ceyhan12.4K views
SharePoint in the Extranet Joel Oleson by webhostingguy
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Oleson
webhostingguy487 views
Best Practices for Active Directory with AWS Workloads by Amazon Web Services
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
Amazon Web Services3.2K views
O365con14 - moving from on-premises to online, the road to follow by NCCOMMS
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
NCCOMMS1.9K views
Azure PTA vs ADFS vs Desktop SSO by CoLaboraDK
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSO
CoLaboraDK527 views
Windows server 2003_r2 by tameemyousaf
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2
tameemyousaf1.2K views
Developing and deploying Identity-enabled applications for the cloud by Maarten Balliauw
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
Maarten Balliauw1.3K views
Windows Server 2008 R2 Overview by Jaguaraci Silva
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 Overview
Jaguaraci Silva544 views
Windows Server 2008 - Active Directory Components by André Braga
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory Components
André Braga912 views
Best Practices for Integrating Active Directory with AWS Workloads by Amazon Web Services
Best Practices for Integrating Active Directory with AWS WorkloadsBest Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS Workloads
Amazon Web Services10K views
Connect your datacenter to Microsoft Azure by K.Mohamed Faizal
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal3.8K views
Identity Management for Office 365 and Microsoft Azure by Sparkhound Inc.
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
Sparkhound Inc.2.5K views
New capabilities for modern data integration in the cloud by Gaurav Malhotra
New capabilities for modern data integration in the cloudNew capabilities for modern data integration in the cloud
New capabilities for modern data integration in the cloud
Gaurav Malhotra106 views
Azure Community Tour 2019 - AZUGDK by Peter Selch Dahl
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
Peter Selch Dahl451 views
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs... by ITProceed
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITProceed1.2K views
SharePoint on Microsoft Azure by K.Mohamed Faizal
SharePoint on Microsoft AzureSharePoint on Microsoft Azure
SharePoint on Microsoft Azure
K.Mohamed Faizal2.6K views

More from Granikos GmbH & Co. KG

Langzeitarchivierung - Warum ist Archivierung wichtig? by
Langzeitarchivierung - Warum ist Archivierung wichtig?Langzeitarchivierung - Warum ist Archivierung wichtig?
Langzeitarchivierung - Warum ist Archivierung wichtig?Granikos GmbH & Co. KG
1.1K views26 slides
AD FS Workshop | Part 2 | Deep Dive by
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveGranikos GmbH & Co. KG
567 views20 slides
Exchange 2013 Site Mailboxes by
Exchange 2013 Site MailboxesExchange 2013 Site Mailboxes
Exchange 2013 Site MailboxesGranikos GmbH & Co. KG
1.1K views16 slides
Modern Anti-Spam Protection - Rejection, no sorting by
Modern Anti-Spam Protection - Rejection, no sortingModern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sortingGranikos GmbH & Co. KG
513 views18 slides
Modernes Anti-Spam - Abweisen, nicht sortieren by
Modernes Anti-Spam - Abweisen, nicht sortierenModernes Anti-Spam - Abweisen, nicht sortieren
Modernes Anti-Spam - Abweisen, nicht sortierenGranikos GmbH & Co. KG
1.4K views18 slides
Long Time Preservation - The Importance of Archiving by
Long Time Preservation - The Importance of ArchivingLong Time Preservation - The Importance of Archiving
Long Time Preservation - The Importance of ArchivingGranikos GmbH & Co. KG
960 views25 slides

More from Granikos GmbH & Co. KG(6)

Langzeitarchivierung - Warum ist Archivierung wichtig? by Granikos GmbH & Co. KG
Langzeitarchivierung - Warum ist Archivierung wichtig?Langzeitarchivierung - Warum ist Archivierung wichtig?
Langzeitarchivierung - Warum ist Archivierung wichtig?
Granikos GmbH & Co. KG1.1K views
AD FS Workshop | Part 2 | Deep Dive by Granikos GmbH & Co. KG
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG567 views
Exchange 2013 Site Mailboxes by Granikos GmbH & Co. KG
Exchange 2013 Site MailboxesExchange 2013 Site Mailboxes
Exchange 2013 Site Mailboxes
Granikos GmbH & Co. KG1.1K views
Modern Anti-Spam Protection - Rejection, no sorting by Granikos GmbH & Co. KG
Modern Anti-Spam Protection - Rejection, no sortingModern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sorting
Granikos GmbH & Co. KG513 views
Modernes Anti-Spam - Abweisen, nicht sortieren by Granikos GmbH & Co. KG
Modernes Anti-Spam - Abweisen, nicht sortierenModernes Anti-Spam - Abweisen, nicht sortieren
Modernes Anti-Spam - Abweisen, nicht sortieren
Granikos GmbH & Co. KG1.4K views
Long Time Preservation - The Importance of Archiving by Granikos GmbH & Co. KG
Long Time Preservation - The Importance of ArchivingLong Time Preservation - The Importance of Archiving
Long Time Preservation - The Importance of Archiving
Granikos GmbH & Co. KG960 views

Recently uploaded

Voice Logger - Telephony Integration Solution at Aegis by
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at AegisNirmal Sharma
39 views1 slide
Network Source of Truth and Infrastructure as Code revisited by
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisitedNetwork Automation Forum
27 views45 slides
Piloting & Scaling Successfully With Microsoft Viva by
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft VivaRichard Harbridge
12 views160 slides
SUPPLIER SOURCING.pptx by
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptxangelicacueva6
16 views1 slide
20231123_Camunda Meetup Vienna.pdf by
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
41 views73 slides
6g - REPORT.pdf by
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdfLiveplex
10 views23 slides

Recently uploaded(20)

Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum27 views
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Richard Harbridge12 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva616 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH41 views
6g - REPORT.pdf by Liveplex
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdf
Liveplex10 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum34 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 views
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors by sugiuralab
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab21 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva615 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld19 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil400 views
Uni Systems for Power Platform.pptx by Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.56 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman36 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi132 views
Mini-Track: AI and ML in Network Operations Applications by Network Automation Forum
Mini-Track: AI and ML in Network Operations ApplicationsMini-Track: AI and ML in Network Operations Applications
Mini-Track: AI and ML in Network Operations Applications
Network Automation Forum10 views
Powerful Google developer tools for immediate impact! (2023-24) by wesley chun
Powerful Google developer tools for immediate impact! (2023-24)Powerful Google developer tools for immediate impact! (2023-24)
Powerful Google developer tools for immediate impact! (2023-24)
wesley chun10 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views

AD FS Workshop | Part 1 | Quick Overview

  • 1. Active Directory Federation Services Thomas Stensitzki
  • 2. AD FS | Quick Overview Page  2
  • 3. What is AD FS  AD FS  Active Directory Federation Services  AD FS provides the infrastructure that enables a user to authenticate in one network and use a secure service or application in another network  Authentication Methods - Resources accessed from outside the corporate network - Forms authentication - Certificate authentication | Smart Card, Soft Certificate - Resources accessed from inside the corporate network - Windows Authentication  Device authentication can provide a secondary authentication method when multi-factor authentication (MFA) is required Page  3
  • 4. AD FS Versions  AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.  AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an installable server role.  AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.  AD FS 2.1 was released with Windows Server 2012 as an installable server role.  AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not require a separate IIS install and it includes a new AD FS proxy role called the Web Application Proxy.  AD FS 4.0 released with Windows Server 2016 Page  4
  • 5. How AD FS works  Security token service (STS) infrastructure - Active Directory Federation Services - Shibboleth Identity Provider - Third-Party Identity Providers  AD FS and AAD Connect - Account synchronization for federated domain users  AAD Connect, Password Sync and AD FS - AAD Connect w/o Password Sync does not store password hashes in Azure AD  No failback, if AD FS is not available - AAD Connect w/ Password Sync synchronizes password hash to Azure AD  Convert federated domain to standard, if AD FS is not available Page  5
  • 6. Azure AD Federation Compatibility - Optimal IDM Virtual Identity Server Federation Services - PingFederate 6.11, 7.2, 8.x - Centrify - IBM Tivoli Federated Identity Manager 6.2.2 - SecureAuth IdP 7.2.0 - CA SiteMinder 12.52 - RadiantOne CFS 3.0 - Okta - OneLogin - NetIQ Access Manager 4.0.1 - BIG-IP with Access Policy Manager BIG-IP ver. 11.3x – 11.6x - VMware Workspace Portal version 2.1 - Sign&go 5.3 - IceWall Federation Version 3.0 - CA Secure Cloud - Dell One Identity Cloud Access Manager v7.1 - AuthAnvil Single Sign On 4.5 - Sailpoint IdentityNow Active Directory Federation Services Page  6
  • 7. AD FS Planning Considerations (1)  Preparation for end devices and browsers  Placement of AD FS servers and proxies  Appropriate internal network topologies for farms/proxies  Check AD for non-supported characters, and invalid data  Preparation of DNS host names records  Purchase or issuing of certificates Page  7
  • 8. AD FS Planning Considerations (2)  Configuration of firewalls for AD FS-related ports - TCP 443  Selection of appropriate AD FS database technology - Windows Internal Database or SQL Server  Capacity planning to determine required servers, and server specifications - Number users to authenticate, number of relying party trusts  Planning for AD FS High Availability  Preparation for multifactor authentication  Planning for access filtering using claims rules Page  8
  • 9. AD FS Clients  Microsoft Online Services Sign-In Assistant - Office 365 Desktop setup - System Center Configuration Manager - Manual install  Modern Browsers with JScript - Internet Explorer - Mozilla Firefox - Safari Page  9
  • 10. ADAL  ADAL  Active Directory Authentication Library  ADAL works with OAuth 2.0 to enable more authentication and authorization scenarios  Utilizes AD FS Infrastructure  Office 2016 clients support modern authentication by default Link: How modern authentication works for Office 2013 and Office 2016 client apps Page  10
  • 11. AD FS Topologies (1)  Stand-alone server versus server farm - Always create a server farm, even with one server  Windows Internal Database (WID) versus SQL Server  Number of Servers Page  11 1 - 100 Relying Party (RP) Trusts More than 100 RP Trusts 1 - 30 AD FS Nodes WID Supported WID not supported - SQL Required More than 30 AD FS Nodes WID not supported - SQL Required WID not supported - SQL Required Number of users Minimum number of servers (Source: Microsoft) < 1.000 0 dedicated federation server, can co-locate on DC 0 dedicated federation server proxy, can co-locate on web server 1.000 – 15.000 2 dedicated federation servers 2 dedicated federation server proxies 15.000 – 60.000 3 – 5 dedicated federation servers Min 2 dedicated federation server proxies
  • 12. AD FS Topologies (2)  AD FS Proxies - Not mandatory but recommended for extranet/internet users  Server Placement - AD FS servers are domain joined are located in the internal network - AD FS proxy servers should not be domain joined and are located in the perimeter network fs.contoso.com 172.16.1.3 wap1.contoso.com 192.0.2.1 wap2.contoso.com 192.0.2.2 AD FS Proxies Perimeter Network fs.contoso.com 192.0.2.3 fs2.lan.contoso.com 172.16.1.2 Federation Server Farm Internal Network fs1.lan.contoso.com 172.16.1.1 fs.contoso.com PUBLIC IP Internal Users ExternalUsers
  • 13. AD FS Requirements (1)  Active Directory - Domain controllers running Windows Server 2008 or later - Windows Server 2016 domain controller for Microsoft Passport - Account domain and AD FS server domain must be operating at DFL Windows Server 2003 - User account client certificate authentication requires DFL Windows Server 2008 - Check on-premises Active Directory for UPN domain - Remediate UPN for invalid characters  DNS and namespaces - Namespace planning, e.g. sts, fs or adfs - All clients must be able to resolve either internal or external AD FS service name - Windows Integrated authentication requires a DNS A record, not a CNAME record Page  13
  • 14. AD FS Requirements (2)  Certificates - Same SSL certificate for AD FS and Web Application proxies - Common name of the certificate should match the service name - User certificate authentication requires certauth.[federation service name] as SAN - Device registration or modern authentication for pre-Windows 10 clients requires enterpriseregistration.[UPN suffix] as SAN]  Network - Firewall policy to allow HTTPS on TCP 443 - Client user certificate authentication requires TCP 49443 to Web Application proxy, if certauth on 443 is not enabled  Database - Windows Internal Database - SQL Server 2008 or higher Page  14
  • 15. AD FS Capacity Planning  AD FS Capacity Planning Sizing Spreadsheet: - Number of users requiring SSO access - Number of users sending authentication requests (peak) - Duration of peak usage period - Geo redundancy information - AD FS Proxy information Link: AD FS 2016 Capacity Planning Spreadsheet Page  15
  • 16. High Availability for AD FS  Why HA is essential - Federated sources are not accessible when AD FS fails or is not reachable  Load Balancing - Use a simple Load Balancing solution  Protecting SQL Server - SQL Cluster - SQL failover partner  Office 365 Adapter for Windows Azure Virtual Machines - White paper: Office 365 Adapter - Deploying Office 365 single sign-on using Azure Virtual Machines https://technet.microsoft.com/en-us/library/dn509539.aspx - Deployment scenarios for Office 365 with single sign-on and Azure https://technet.microsoft.com/en-us/library/dn509537.aspx Page  16
  • 17. High Availability for AD FS – Azure for Disaster Recovery Page  17 VPNTunnel AD DS 1x AAD Connect 1x AD FS 1x AD FS Proxy 2x AD DS AD FS AAD Connect AD FS AD FS Proxy AD FS Proxy
  • 18. High Availability for AD FS – Azure Only Page  18 VPNTunnel AD DS 1x AAD Connect 1x AD FS 1x AD FS Proxy 2x AD DS
  • 19. Best Practices for AD FS  Plan for AD FS proxy servers  Avoid having federation servers directly accessible on the Internet  Prepare DNS - Split DNS requires proper DNS zone maintenance  Networking, firewall, and security design  Ensure certificates export includes private key Page  19
  • 20. Page  20 Questions Thomas Stensitzki Expert Granikos GmbH & Co. KG MCSM Messaging, MCM: Exchange 2010 MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M E-Mail: thomas.stensitzki@granikos.eu Web: http://www.Granikos.eu Blog: http://blog.Granikos.eu Blog: http://JustCantGetEnough.Granikos.eu