Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AD FS Workshop | Part 1 | Quick Overview

1,287 views

Published on

This slidedeck provides a quick overview about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.

Published in: Technology
  • Be the first to comment

AD FS Workshop | Part 1 | Quick Overview

  1. 1. Active Directory Federation Services Thomas Stensitzki
  2. 2. AD FS | Quick Overview Page  2
  3. 3. What is AD FS  AD FS  Active Directory Federation Services  AD FS provides the infrastructure that enables a user to authenticate in one network and use a secure service or application in another network  Authentication Methods - Resources accessed from outside the corporate network - Forms authentication - Certificate authentication | Smart Card, Soft Certificate - Resources accessed from inside the corporate network - Windows Authentication  Device authentication can provide a secondary authentication method when multi-factor authentication (MFA) is required Page  3
  4. 4. AD FS Versions  AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.  AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an installable server role.  AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.  AD FS 2.1 was released with Windows Server 2012 as an installable server role.  AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not require a separate IIS install and it includes a new AD FS proxy role called the Web Application Proxy.  AD FS 4.0 released with Windows Server 2016 Page  4
  5. 5. How AD FS works  Security token service (STS) infrastructure - Active Directory Federation Services - Shibboleth Identity Provider - Third-Party Identity Providers  AD FS and AAD Connect - Account synchronization for federated domain users  AAD Connect, Password Sync and AD FS - AAD Connect w/o Password Sync does not store password hashes in Azure AD  No failback, if AD FS is not available - AAD Connect w/ Password Sync synchronizes password hash to Azure AD  Convert federated domain to standard, if AD FS is not available Page  5
  6. 6. Azure AD Federation Compatibility - Optimal IDM Virtual Identity Server Federation Services - PingFederate 6.11, 7.2, 8.x - Centrify - IBM Tivoli Federated Identity Manager 6.2.2 - SecureAuth IdP 7.2.0 - CA SiteMinder 12.52 - RadiantOne CFS 3.0 - Okta - OneLogin - NetIQ Access Manager 4.0.1 - BIG-IP with Access Policy Manager BIG-IP ver. 11.3x – 11.6x - VMware Workspace Portal version 2.1 - Sign&go 5.3 - IceWall Federation Version 3.0 - CA Secure Cloud - Dell One Identity Cloud Access Manager v7.1 - AuthAnvil Single Sign On 4.5 - Sailpoint IdentityNow Active Directory Federation Services Page  6
  7. 7. AD FS Planning Considerations (1)  Preparation for end devices and browsers  Placement of AD FS servers and proxies  Appropriate internal network topologies for farms/proxies  Check AD for non-supported characters, and invalid data  Preparation of DNS host names records  Purchase or issuing of certificates Page  7
  8. 8. AD FS Planning Considerations (2)  Configuration of firewalls for AD FS-related ports - TCP 443  Selection of appropriate AD FS database technology - Windows Internal Database or SQL Server  Capacity planning to determine required servers, and server specifications - Number users to authenticate, number of relying party trusts  Planning for AD FS High Availability  Preparation for multifactor authentication  Planning for access filtering using claims rules Page  8
  9. 9. AD FS Clients  Microsoft Online Services Sign-In Assistant - Office 365 Desktop setup - System Center Configuration Manager - Manual install  Modern Browsers with JScript - Internet Explorer - Mozilla Firefox - Safari Page  9
  10. 10. ADAL  ADAL  Active Directory Authentication Library  ADAL works with OAuth 2.0 to enable more authentication and authorization scenarios  Utilizes AD FS Infrastructure  Office 2016 clients support modern authentication by default Link: How modern authentication works for Office 2013 and Office 2016 client apps Page  10
  11. 11. AD FS Topologies (1)  Stand-alone server versus server farm - Always create a server farm, even with one server  Windows Internal Database (WID) versus SQL Server  Number of Servers Page  11 1 - 100 Relying Party (RP) Trusts More than 100 RP Trusts 1 - 30 AD FS Nodes WID Supported WID not supported - SQL Required More than 30 AD FS Nodes WID not supported - SQL Required WID not supported - SQL Required Number of users Minimum number of servers (Source: Microsoft) < 1.000 0 dedicated federation server, can co-locate on DC 0 dedicated federation server proxy, can co-locate on web server 1.000 – 15.000 2 dedicated federation servers 2 dedicated federation server proxies 15.000 – 60.000 3 – 5 dedicated federation servers Min 2 dedicated federation server proxies
  12. 12. AD FS Topologies (2)  AD FS Proxies - Not mandatory but recommended for extranet/internet users  Server Placement - AD FS servers are domain joined are located in the internal network - AD FS proxy servers should not be domain joined and are located in the perimeter network fs.contoso.com 172.16.1.3 wap1.contoso.com 192.0.2.1 wap2.contoso.com 192.0.2.2 AD FS Proxies Perimeter Network fs.contoso.com 192.0.2.3 fs2.lan.contoso.com 172.16.1.2 Federation Server Farm Internal Network fs1.lan.contoso.com 172.16.1.1 fs.contoso.com PUBLIC IP Internal Users ExternalUsers
  13. 13. AD FS Requirements (1)  Active Directory - Domain controllers running Windows Server 2008 or later - Windows Server 2016 domain controller for Microsoft Passport - Account domain and AD FS server domain must be operating at DFL Windows Server 2003 - User account client certificate authentication requires DFL Windows Server 2008 - Check on-premises Active Directory for UPN domain - Remediate UPN for invalid characters  DNS and namespaces - Namespace planning, e.g. sts, fs or adfs - All clients must be able to resolve either internal or external AD FS service name - Windows Integrated authentication requires a DNS A record, not a CNAME record Page  13
  14. 14. AD FS Requirements (2)  Certificates - Same SSL certificate for AD FS and Web Application proxies - Common name of the certificate should match the service name - User certificate authentication requires certauth.[federation service name] as SAN - Device registration or modern authentication for pre-Windows 10 clients requires enterpriseregistration.[UPN suffix] as SAN]  Network - Firewall policy to allow HTTPS on TCP 443 - Client user certificate authentication requires TCP 49443 to Web Application proxy, if certauth on 443 is not enabled  Database - Windows Internal Database - SQL Server 2008 or higher Page  14
  15. 15. AD FS Capacity Planning  AD FS Capacity Planning Sizing Spreadsheet: - Number of users requiring SSO access - Number of users sending authentication requests (peak) - Duration of peak usage period - Geo redundancy information - AD FS Proxy information Link: AD FS 2016 Capacity Planning Spreadsheet Page  15
  16. 16. High Availability for AD FS  Why HA is essential - Federated sources are not accessible when AD FS fails or is not reachable  Load Balancing - Use a simple Load Balancing solution  Protecting SQL Server - SQL Cluster - SQL failover partner  Office 365 Adapter for Windows Azure Virtual Machines - White paper: Office 365 Adapter - Deploying Office 365 single sign-on using Azure Virtual Machines https://technet.microsoft.com/en-us/library/dn509539.aspx - Deployment scenarios for Office 365 with single sign-on and Azure https://technet.microsoft.com/en-us/library/dn509537.aspx Page  16
  17. 17. High Availability for AD FS – Azure for Disaster Recovery Page  17 VPNTunnel AD DS 1x AAD Connect 1x AD FS 1x AD FS Proxy 2x AD DS AD FS AAD Connect AD FS AD FS Proxy AD FS Proxy
  18. 18. High Availability for AD FS – Azure Only Page  18 VPNTunnel AD DS 1x AAD Connect 1x AD FS 1x AD FS Proxy 2x AD DS
  19. 19. Best Practices for AD FS  Plan for AD FS proxy servers  Avoid having federation servers directly accessible on the Internet  Prepare DNS - Split DNS requires proper DNS zone maintenance  Networking, firewall, and security design  Ensure certificates export includes private key Page  19
  20. 20. Page  20 Questions Thomas Stensitzki Expert Granikos GmbH & Co. KG MCSM Messaging, MCM: Exchange 2010 MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M E-Mail: thomas.stensitzki@granikos.eu Web: http://www.Granikos.eu Blog: http://blog.Granikos.eu Blog: http://JustCantGetEnough.Granikos.eu

×