2. What is ADFS?
AD FS provides simplified, secured identity federation
and Web single sign-on (SSO) capabilities for end
users who want to access applications within an AD
FS-secured enterprise, in federation partner
organizations, or in the cloud.
3. ADFS Features
Manage Risk with Conditional Access Control
• AD FS provides a rich level of authorization that controls who has
access to what applications. This can be based on
• User attributes (UPN, email, security group membership,
authentication strength, etc.)
• Device attributes (whether the device is workplace joined)
• Request attributes (network location, IP address, or user agent)
• Flexible per-application access policy based on user data, device
data, or network location.
4. ADFS Features
Manage Risk with Additional Multi-Factor Authentication for
Sensitive Applications
• AD FS allows you to control policies to potentially require multi-
factor authentication on a per application basis.
• AD FS provides extensibility points for any multi-factor vendor to
integrate deeply for a secure and seamless multi-factor
experience for end users
5. ADFS Features
Device Workplace Join
By using Workplace Join, information workers can join their personal devices with
their company's workplace computers.
When you join your personal device to your workplace, it becomes a known device
and provides seamless second factor authentication to workplace resources and
applications.
Windows 8.1 and iOS 6.0+, and Android 4.0+ devices can be joined by using
Workplace Join.
Configure Additional Authentication Methods for AD FS
Support for third-party and custom built authentication methods when
configuring multi-factor authentication.
6. ADFS Features
Customization of web themes
• Unified customization of the AD FS service (the changes are made once and
then automatically propagated to the rest of the AD FS federation servers in a
given farm)
Simplified deployment experience
• Remote installation and configuration through Server Manager.
• Scaling Out Easily
• SQL Server merge replication support when deploying AD FS across
globally dispersed datacenters.
• Group Managed Service Account support.
7. Key concepts Identity Provider (IP)
Active
Directory
Security Token Service (STS)
User / Subject /Principal Requests token for AppX
Issues Security Token
crafted for Appx
Relying party (RP)/
Resource provider
Issuer IP-STS
Trusts the Security Token
from the issuer
The Security Token
Contains claims about the user
For example:
• Name
• Group membership
• User Principal Name (UPN)
• Email address of user
• Email address of manager
• Phone number
• Other attribute values
Security Token “Authenticates”
user to the application
ST
Signed by issuer
AppX
10. Fiddler as a man in the middle
Fiddler can intercept HTTPS traffic
Creates a certificate that represents the destination website
Browser will display certificate as invalid unless added to certificate store
If you add it to the store make sure you remove it after testing
11. How Works?
AD FS STS
Claims-aware app Active Directory
Browse app
Not authenticated
Redirected to STS
Authenticate
Our user
Query for user attributes
Return security token
Return cookies
and page
Send Token
App trusts STS
12. First redirect to STS
Decoded redirect URL:
https://adfs.example.com/adfs/ls/?
wa=wsignin1.0&
wtrealm=https://site1.example.com/Federation/&
wctx=rm=0&id=passive&ru=%2fFederation%2f&
wct=2011-04-15T15:12:28Z
%2f decodes to /
13. Web page returned after
authentication
The SAML data is always signed, it can be encrypted if required
14. MSISSelectionPersistent: identifies authenticating IP-STS
Located through Home Realm Discovery (HRD)
MSISAuth…: authenticated session cookies
MSISAuthenticated: time when the authentication took place
MSISSignOut: Keeps track of all RPs to which the session has authenticated
MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error
Time-out default: 6 request for authentication to same RP within a short space of time
AD FS cookies
17. AD FS architecture
Active Directory
Firewall &
Load Balancer
Perimeter network
Web Application Proxy
farm
Firewall &
Load Balancer
Internet
Intranet
AD FS farm
Configuration
database
The WAP stores/retrieves it
configuration on/from AD FS
Remote user CorpNet users
Forms
Authentication
18. DNS requirements
CNAME entries must be added for the device registration service
enterpriseregistration.<upn suffix> CNAME sts.example.com
A CNAME entry will be required for each of the upn suffixes used in the AD
Perimeter network
WAP farm
Intranet
AD FS farm
sts.example.com sts.example.com
sts.example.com
resolves to external
WAP VIP
sts.example.com
resolves to the AD FS VIP
Add host file records
If the intranet DNS
cannot be used by the
WAP
19. Installation prerequisites
Decide on the configuration database
Install the SSL certificate into local computer store on each farm node
Enable the creation of Group Managed Service Accounts
Not required, but recommended
Active Directory Windows 2008 or later
Server 2003 functional level or later
20. Two options for the
configuration database
Windows Internal Database (WID)
Each farm member holds a copy
Maximum of five farm members
The first server in the farm is referred to as the primary federation server
Has read/write copy of the configuration database
Subsequent servers added to the farm are called secondary federation servers
Read only copy to the configuration database
Changes updated every 5 minutes from the primary federation server
SQL
You must add appropriate SQL redundancy to avoid a single-point of failure
21. SQL database
SQL 2008 or newer
No theoretical limit to farm size
Provides AD FS functionality not available with WID
SAML artifact resolution
RP retrieves token from claims provider
SAML/WS-Federation token replay detection
Protects both WS-Federation passive profile and the SAML WebSSO profile
Resource server detect replay of token from account server
22. Load-balancing & firewall settings
NLB or a hardware load-balancer can be used with the proxy and AD FS farms
NLB cannot be used for AD FS if it is running on a domain controller
Firewall
Port 443 must be enabled
Must allow port 49443 if certificate authentication is to be used
23. AD FS farm SSL certificate
The subject name and subject alternative name must match the farm url
sts.example.com or *.example.com
For workplace join a subject alternative name (SAN) of enterpriseregistration.<upn suffix> is
required
A SAN for each upn suffix in the AD must be added
Recommendations:
Use the same certificate on all nodes of the farm
Use the same certificate on the WAP farm nodes
Obtain the certificate from a public CA
24. Group Managed Service Account
(gMSA)
The AD FS service account can be a gMSA
A gMSA can be run across multiple servers
The password (120 characters) for a gMSA is maintained by the Key
Distribution Service (KDS) running on a Windows Server 2012 domain
controller
The password is calculated using the KDS Root Key, the current time and the gMSA SID
The KDS Root Key must be created using PowerShell
At least one 2012 DC is required
Recommended a minimum of 2 DCs
25. Create the KDS Root Key
Before any gMSA accounts can be created the KDS Root Key must be
generated using PowerShell
Add-KdsRootKey –EffectiveImmediately
There is an enforced delay of 10 hours before a gMSA can be created after
running the command
This is to “guarantee” that the key has propagated to all 2012 DCs
For lab work the delay can be overridden using
Add-KdsRootKey –EffectiveTime (get-date).addhours(-10)
26. Creating a gMSA
Can be created with PowerShell
Let the ADFS wizard do it for you
Updates the PrincipalsAllowedToRetrieveManagedPassword property with the DN of the server
node being installed
Sets the service principal name
30. Reasons for deployment
AD
RP1
Your
AD FS
Your
users
AD
RP1
Your
ADFS
Your
users
Partner or
3rd party STS
Trust
Trust
Trust
External
users
Your
claims-aware
applications
Identity
store
Your
claims-aware
applications
Claims-aware applications may be
hosted on-premises or in the cloud
33. Process token
Home realm discovery
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
Working with partners Your AD FS STS
Your Claims-aware app
Active
Directory
Partner
user
Partner
AD FS STS & IP
Redirected to your STS
Authenticate
Send Token
Return cookies
and page
Browse app
Not authenticated
Redirect to your STS
App trusts STS Your STS
trusts your
partner’s STS
34. Validating the install
Access the federation metadata
https://sts.example.com/FederationMetadata/2007-06/FederationMetadata.xml
If the browser does not show the page as XML, switch to compatibility view
Try the IdP initiated sign on
https://sts.example.com/adfs/ls/IdpinitiatedSignOn.aspx
35.
36. Web Application Proxy
Web
application
ADFS
Claims-aware
web application
Web application
with Windows
Authentication
AD FS
preauthentication
Kerberos
constrained
delegation
Publish
applications and
services to the
Internet
WAP
Users are authenticated
and authorized before
gaining access to the
corporate network
Pass-through
KCD
37. Kerberos Constrained Delegation
Firewall
WAP
DC
Web application using Windows
Authentication (Kerberos)
The SPN for the
application must be
registered on the
service account running
the application
The WAP computer account must
be configured for constrained
delegation with protocol transition
to the SPN of the web application
AD FS
preauthentication
required
38. Network Topology
Backend Server
Backend Server
AD FS
Backend Server
Config.
Store
Web Application
Proxy
DMZ
AD FS Proxy
Firewall
Load
Balancer
Load
Balancer
Firewall
Active Directory
Domain
Controller
Client
(browser,
Office client
or modern
app)
Corporate Network
Internet
HTTP/S
HTTP/S
AuthN
Config. API
over HTTPS
AuthN
Web UI
Claims, KCD,
OAuth, MSOFBA,
or pass-through
Obtain KCD
ticket for IWA
AuthN
39. WAP Reverse Proxy Functionalities
Network Isolation: even in pass-through, even post pre-auth,
backend is never exposed directly
Basic DOS: throttling, queuing, session establishing, before
routing to backend
URL Translation: HTTP header level translation enables
publishing non-FQDN URLs, and HTTPSHTTP
Selective Publishing: per internal application endpoint
AD FS Proxy services: FS, MFA, DRS
Web Protocols Only: HTTP, HTTPS
40. WAP Pre-Authentication Functionalities
Rich Policy: user + device identity, application identity,
network location
MFA Options: smartcards, phone factor, soft password lockout
Multiple Authentication Methods: KCD, claims, OAuth, MSO-
FBA, …
SSO: Avoid requesting credentials again, after first pre-auth
Via a dedicated security token of AD FS
41. WAP requirements
One or two network cards
In some scenarios DirectAccess and/or VPN can be supported on the same server
See http://technet.microsoft.com/en-us/library/dn383647.aspx
Install the AD FS SSL certificate on each WAP node
A certificate will be required for each published application
To use KCD the WAP must be domain joined