An specific detail on how ADFS works as Microsoft Single-SignOn solution for enterprises using Active Directory.

1. ADFS
Active Directory Federation
Services

2. What is ADFS?
 AD FS provides simplified, secured identity federation
and Web single sign-on (SSO) capabilities for end
users who want to access applications within an AD
FS-secured enterprise, in federation partner
organizations, or in the cloud.

3. ADFS Features
 Manage Risk with Conditional Access Control
• AD FS provides a rich level of authorization that controls who has
access to what applications. This can be based on
• User attributes (UPN, email, security group membership,
authentication strength, etc.)
• Device attributes (whether the device is workplace joined)
• Request attributes (network location, IP address, or user agent)
• Flexible per-application access policy based on user data, device
data, or network location.

4. ADFS Features
 Manage Risk with Additional Multi-Factor Authentication for
Sensitive Applications
• AD FS allows you to control policies to potentially require multi-
factor authentication on a per application basis.
• AD FS provides extensibility points for any multi-factor vendor to
integrate deeply for a secure and seamless multi-factor
experience for end users

5. ADFS Features
 Device Workplace Join
By using Workplace Join, information workers can join their personal devices with
their company's workplace computers.
When you join your personal device to your workplace, it becomes a known device
and provides seamless second factor authentication to workplace resources and
applications.
Windows 8.1 and iOS 6.0+, and Android 4.0+ devices can be joined by using
Workplace Join.
 Configure Additional Authentication Methods for AD FS
Support for third-party and custom built authentication methods when
configuring multi-factor authentication.

6. ADFS Features
 Customization of web themes
• Unified customization of the AD FS service (the changes are made once and
then automatically propagated to the rest of the AD FS federation servers in a
given farm)
 Simplified deployment experience
• Remote installation and configuration through Server Manager.
• Scaling Out Easily
• SQL Server merge replication support when deploying AD FS across
globally dispersed datacenters.
• Group Managed Service Account support.

7. Key concepts Identity Provider (IP)
Active
Directory
Security Token Service (STS)
User / Subject /Principal Requests token for AppX
Issues Security Token
crafted for Appx
Relying party (RP)/
Resource provider
Issuer IP-STS
Trusts the Security Token
from the issuer
The Security Token
Contains claims about the user
For example:
• Name
• Group membership
• User Principal Name (UPN)
• Email address of user
• Email address of manager
• Phone number
• Other attribute values
Security Token “Authenticates”
user to the application
ST
Signed by issuer
AppX

8. Key Concepts

9. An essential tool

10. Fiddler as a man in the middle
 Fiddler can intercept HTTPS traffic
 Creates a certificate that represents the destination website
 Browser will display certificate as invalid unless added to certificate store
 If you add it to the store make sure you remove it after testing

11. How Works?
AD FS STS
Claims-aware app Active Directory
Browse app
Not authenticated
Redirected to STS
Authenticate
Our user
Query for user attributes
Return security token
Return cookies
and page
Send Token
App trusts STS

12. First redirect to STS
Decoded redirect URL:
https://adfs.example.com/adfs/ls/?
wa=wsignin1.0&
wtrealm=https://site1.example.com/Federation/&
wctx=rm=0&id=passive&ru=%2fFederation%2f&
wct=2011-04-15T15:12:28Z
%2f decodes to /

13. Web page returned after
authentication
 The SAML data is always signed, it can be encrypted if required

14. MSISSelectionPersistent: identifies authenticating IP-STS
Located through Home Realm Discovery (HRD)
MSISAuth…: authenticated session cookies
MSISAuthenticated: time when the authentication took place
MSISSignOut: Keeps track of all RPs to which the session has authenticated
MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error
Time-out default: 6 request for authentication to same RP within a short space of time
AD FS cookies

15. Allows browser session to remain authenticated to web application
Web app cookies

16. Main token types
JSON Web Tokens (JWT)
Simple Web Token
(Microsoft, Google, Yahoo)

17. AD FS architecture
Active Directory
Firewall &
Load Balancer
Perimeter network
Web Application Proxy
farm
Firewall &
Load Balancer
Internet
Intranet
AD FS farm
Configuration
database
The WAP stores/retrieves it
configuration on/from AD FS
Remote user CorpNet users
Forms
Authentication

18. DNS requirements
 CNAME entries must be added for the device registration service
 enterpriseregistration.<upn suffix> CNAME sts.example.com
 A CNAME entry will be required for each of the upn suffixes used in the AD
Perimeter network
WAP farm
Intranet
AD FS farm
sts.example.com sts.example.com
sts.example.com
resolves to external
WAP VIP
sts.example.com
resolves to the AD FS VIP
Add host file records
If the intranet DNS
cannot be used by the
WAP

19. Installation prerequisites
 Decide on the configuration database
 Install the SSL certificate into local computer store on each farm node
 Enable the creation of Group Managed Service Accounts
 Not required, but recommended
 Active Directory Windows 2008 or later
 Server 2003 functional level or later

20. Two options for the
configuration database
 Windows Internal Database (WID)
 Each farm member holds a copy
 Maximum of five farm members
 The first server in the farm is referred to as the primary federation server
 Has read/write copy of the configuration database
 Subsequent servers added to the farm are called secondary federation servers
 Read only copy to the configuration database
 Changes updated every 5 minutes from the primary federation server
 SQL
 You must add appropriate SQL redundancy to avoid a single-point of failure

21. SQL database
 SQL 2008 or newer
 No theoretical limit to farm size
 Provides AD FS functionality not available with WID
 SAML artifact resolution
 RP retrieves token from claims provider
 SAML/WS-Federation token replay detection
 Protects both WS-Federation passive profile and the SAML WebSSO profile
 Resource server detect replay of token from account server

22. Load-balancing & firewall settings
 NLB or a hardware load-balancer can be used with the proxy and AD FS farms
 NLB cannot be used for AD FS if it is running on a domain controller
 Firewall
 Port 443 must be enabled
 Must allow port 49443 if certificate authentication is to be used

23. AD FS farm SSL certificate
 The subject name and subject alternative name must match the farm url
 sts.example.com or *.example.com
 For workplace join a subject alternative name (SAN) of enterpriseregistration.<upn suffix> is
required
 A SAN for each upn suffix in the AD must be added
 Recommendations:
 Use the same certificate on all nodes of the farm
 Use the same certificate on the WAP farm nodes
 Obtain the certificate from a public CA

24. Group Managed Service Account
(gMSA)
 The AD FS service account can be a gMSA
 A gMSA can be run across multiple servers
 The password (120 characters) for a gMSA is maintained by the Key
Distribution Service (KDS) running on a Windows Server 2012 domain
controller
 The password is calculated using the KDS Root Key, the current time and the gMSA SID
 The KDS Root Key must be created using PowerShell
 At least one 2012 DC is required
 Recommended a minimum of 2 DCs

25. Create the KDS Root Key
 Before any gMSA accounts can be created the KDS Root Key must be
generated using PowerShell
 Add-KdsRootKey –EffectiveImmediately
 There is an enforced delay of 10 hours before a gMSA can be created after
running the command
 This is to “guarantee” that the key has propagated to all 2012 DCs
 For lab work the delay can be overridden using
 Add-KdsRootKey –EffectiveTime (get-date).addhours(-10)

26. Creating a gMSA
 Can be created with PowerShell
 Let the ADFS wizard do it for you
 Updates the PrincipalsAllowedToRetrieveManagedPassword property with the DN of the server
node being installed
 Sets the service principal name

28. Adding additional farm members

29. Adding additional farm members

30. Reasons for deployment
AD
RP1
Your
AD FS
Your
users
AD
RP1
Your
ADFS
Your
users
Partner or
3rd party STS
Trust
Trust
Trust
External
users
Your
claims-aware
applications
Identity
store
Your
claims-aware
applications
Claims-aware applications may be
hosted on-premises or in the cloud

31. AD
Your
AD FS
Your
users
Partner or 3rd party services
(claims-aware)
Trust
STS
Reasons for deployment (continued)

32. Resource STS
RP2
Trusts
RP1 RP4
Trusts
RP3
Resource STSs apply
application authorization rules
STS owned, managed and run by business unit

33. Process token
Home realm discovery
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
Working with partners Your AD FS STS
Your Claims-aware app
Active
Directory
Partner
user
Partner
AD FS STS & IP
Redirected to your STS
Authenticate
Send Token
Return cookies
and page
Browse app
Not authenticated
Redirect to your STS
App trusts STS Your STS
trusts your
partner’s STS

34. Validating the install
 Access the federation metadata
 https://sts.example.com/FederationMetadata/2007-06/FederationMetadata.xml
 If the browser does not show the page as XML, switch to compatibility view
 Try the IdP initiated sign on
 https://sts.example.com/adfs/ls/IdpinitiatedSignOn.aspx

36. Web Application Proxy
Web
application
ADFS
Claims-aware
web application
Web application
with Windows
Authentication
AD FS
preauthentication
Kerberos
constrained
delegation
Publish
applications and
services to the
Internet
WAP
Users are authenticated
and authorized before
gaining access to the
corporate network
Pass-through
KCD

37. Kerberos Constrained Delegation
Firewall
WAP
DC
Web application using Windows
Authentication (Kerberos)
The SPN for the
application must be
registered on the
service account running
the application
The WAP computer account must
be configured for constrained
delegation with protocol transition
to the SPN of the web application
AD FS
preauthentication
required

38. Network Topology
Backend Server
Backend Server
AD FS
Backend Server
Config.
Store
Web Application
Proxy
DMZ
AD FS Proxy
Firewall
Load
Balancer
Load
Balancer
Firewall
Active Directory
Domain
Controller
Client
(browser,
Office client
or modern
app)
Corporate Network
Internet
HTTP/S
HTTP/S
AuthN
Config. API
over HTTPS
AuthN
Web UI
Claims, KCD,
OAuth, MSOFBA,
or pass-through
Obtain KCD
ticket for IWA
AuthN

39. WAP Reverse Proxy Functionalities
 Network Isolation: even in pass-through, even post pre-auth,
backend is never exposed directly
 Basic DOS: throttling, queuing, session establishing, before
routing to backend
 URL Translation: HTTP header level translation enables
publishing non-FQDN URLs, and HTTPSHTTP
 Selective Publishing: per internal application endpoint
 AD FS Proxy services: FS, MFA, DRS
 Web Protocols Only: HTTP, HTTPS

40. WAP Pre-Authentication Functionalities
 Rich Policy: user + device identity, application identity,
network location
 MFA Options: smartcards, phone factor, soft password lockout
 Multiple Authentication Methods: KCD, claims, OAuth, MSO-
FBA, …
 SSO: Avoid requesting credentials again, after first pre-auth
 Via a dedicated security token of AD FS

41. WAP requirements
 One or two network cards
 In some scenarios DirectAccess and/or VPN can be supported on the same server
 See http://technet.microsoft.com/en-us/library/dn383647.aspx
 Install the AD FS SSL certificate on each WAP node
 A certificate will be required for each published application
 To use KCD the WAP must be domain joined

42. Installing the Web Application Proxy

43. Running the wizard
 The same method is used to add one or more nodes