Module 10

Implementing and administering

ADFS
Module Overview

Overview of ADFS
ADFS requirements and planning
Deploying and configuring AD FS
Web Application Proxy overview
Lesson 1: Overview of ADFS

What is identity federation?

What are claims-based identity and claims-based
authentication?
Overview of web services
What is ADFS?
Whats new in AD FS in Windows Server 2016?
How ADFS enables SSO in a single organization
How AD FS enables SSO in a business-to-business
federation
What is identity federation?

Allows identification, authentication, and

authorization across organizational and platform
boundaries
Requires a federated trust relationship between
two organizations or entities
Allows organizations to retain control over who
can access resources
Allows organizations to retain control of their
user and group accounts
What are claims-based identity and claims-based
authentication?
Claims provide information about the users
The users identity provider supplies information that
the application provider accepts
Security
token
service Application

Security token Security token

(outgoing (incoming
claims) claims)
Identity Application
provider provider
Overview of web services

Web services comprise a standardized set of

specifications used to build applications and
services
Web services typically:
Transmit data as XML
Use SOAP to define the XML message format
Use WSDL to define valid SOAP messages
Use UDDI to describe available web services

SAML is a standard for exchanging identity

claims
What is ADFS?

AD FS is the Microsoft identity federation

product that can use claims-based authentication
AD FS has the following features:
SSO for web-based apps
Interoperability with web services on multiple platforms
Support for many clients, such as web browsers, mobile
devices, and applications
Extensibility to support customized claims from third-
party applications
The Delegation of account management to the users
organization
Whats new in AD FS in Windows Server 2016?

New AD FS features introduced in

Windows Server 2012:
Integration with the Windows Server 2012 operating
system
Integration with Dynamic Access Control
Windows PowerShell cmdlets for administering AD FS

New AD FS features introduced in

Windows Server 2016:
Support for any directory that is LDAP v3-compliant
New factors of authentication
Improvements in AD FS management
Conditional access
How ADFS enables SSO in a single organization

Perimeter network Corporate network

AD DS
domain
controller
8 7
Federation
Service 6
4 5
3 Proxy

1 Federation
server
External client 9

Web server
How AD FS enables SSO in a business-to-business
federation
Trey Research A. Datum Corporation
AD DS
Federation trust
Resource
federation
Account
6 server
federation
server
7

10
4
Internal 8
client 5 9 Web
computer 3 server

1 11
Lesson 2: ADFS requirements and planning

ADFS components
ADFS requirements
PKI and certificate requirements
Federation server roles
Planning an AD FS deployment for online services
Planning a highly available AD FS deployment
Capacity planning
Demonstration: Installing the ADFS server role
ADFS components

Federation server Relying parties

Federation server proxy Claims provider trust
and Web Application
Proxy
Claims Relying party trust
Claim rules Certificates
Attribute store Endpoints
Claims providers
ADFS requirements

A successful AD FS deployment includes the

following critical infrastructure:
TCP/IP network connectivity
AD DS
Attribute stores
DNS
PKI and certificate requirements

AD FS uses the following certificates:

Service communication certificates
Token-signing certificates
Token-decrypting certificates

When choosing certificates, ensure that all

federation partners and clients trust the service
communication certificate
Federation server roles

A claims provider federation server:

Authenticates internal users
Issues signed tokens containing user claims

A relying party federation server:

Consumes tokens from the claims provider
Issues tokens for application access

A Federation Service Proxy:

Gets deployed in a perimeter network
Provides a layer of security enhancement for internal
federation servers
Planning an AD FS deployment for online services

On-premises Exchange Online

AD DS Federation trust Microsoft online

services
Account federation
6 federation server
server
7 9
4

10
5 Microsoft
3
Outlook
8 Web App
2
server
Internal
client 1
computer 11
Deploying SSO integration with Microsoft online
services

To configure SSO for integration with online

services, you must:
Prepare your environment for SSO
Deploy federation services
Deploy directory synchronization
Verify SSO
Planning a highly available AD FS deployment

When planning the availability of your AD FS

environment for federated authentication, you
should consider the following categories:
The federation server farm
NLB
The configuration database
Capacity planning

Use the following when planning for the capacity

of your federation servers:
Capacity Planning spreadsheet requirements:
The percentage of total users expected to send authentication
requests to AD FS during peak usage periods
The length of time the peak usage period is expected to last
The total number of users that will require SSO access
Estimation table:
Number of users Minimum number of servers
Fewer than 1,000 2 federation servers, 2 proxies
1,000 15,000 2 federation servers, 2 proxies
15,000 60,000 35 federation servers, 2 proxies
More than 60,000 5+ federation servers, 3+ proxies
Demonstration: Installing the ADFS server role

In this demonstration, you will see how to:

Install AD FS
Add a DNS record for AD FS
Configure AD FS
Lesson 3: Deploying and configuring AD FS

What are ADFS claims and claims rules?

What is a claims provider trust?
What is a relying party trust?
Demonstration: Configuring claims provider and
relying party trusts
Installing and configuring AD FS
Configuring an account partner and a resource
partner
Configuring claims rules
How home realm discovery works
What are ADFS claims and claim rules?

Claims provide information about users from the

claims provider to the relying party
AD FS:
Provides a default set of built-in claims
Enables the creation of custom claims
Requires each claim have a unique URI

Claims can be:

Retrieved from an attribute store
Calculated based on retrieved values
Transformed into alternate values
What are AD FS claims and claim rules?

Claim rules define how claims are sent and

consumed by AD FS servers
Claims provider rules are acceptance transform
rules
Relying party rules can be:
Issuance transform rules
Issuance authorization rules
Delegation authorization rules

AD FS servers provide default claim rules,

templates, and a syntax for creating custom
claim rules
What is a claims provider trust?

Claims provider trusts:

Are configured on the relying party federation server
Identify the claims provider
Configure the claim rules for the claims provider

In a single-organization scenario, a claims

provider trust called Active Directory defines how
AD DS user credentials are processed
You can configure claims provider trusts by:
Importing the federation metadata
Importing a configuration file
Configuring the trust manually
What is a relying party trust?

Relying party trusts:

Are configured on the claims provider federation server
Identify the relying party
Configure the claim rules for the relying party

In a single-organization scenario, a relying party

trust defines the connection to internal
applications
You can configure relying party trusts by:
Importing the federation metadata
Importing a configuration file
Manually configuring the trust
Demonstration: Configuring claims provider and
relying party trusts

In this demonstration, you will see how to:

Configure a claims provider trust
Configure a WIF application for AD FS
Configure a relying party trust
Installing and configuring AD FS

You might need to prepare the following items

before installing AD FS:
SQL Server
Service account
Certificates
DNS

During the deployment of AD FS, you:

1. Install AD FS
2. Configure AD FS
3. Create the first federation server in a farm
4. Add a federation server to a farm
5. Update AD FS
Configuring an account partner and a resource partner
An account partner is a claims provider in a business-to-
business federation scenario. To configure an account
partner:
Implement the physical topology
Add an attribute store
Configure a relying party trust
Add a claim description
Prepare the client computers for federation
A resource partner is a relying party in a business-to-
business federation scenario. To configure a relying
partner:
Implement the physical topology
Add an attribute store
Configure a claims provider trust
Create claim rule sets for the claims provider trust
Configuring claims rules

Business-to-business scenarios might require

more-complex claims rules
You can create claims rules by using the
following templates:
Send LDAP Attributes as Claims
Send Group Membership as a Claim
Pass Through or Filter an Incoming Claim
Transform an Incoming Claim
Permit or Deny Users Based on an Incoming Claim

You can also create custom rules by using the

AD FS claim rule language
How home realm discovery works

Home realm discovery identifies the AD FS server

responsible for providing claims about a user
Two methods for home realm discovery exist:
Prompt users during their first authentication
Include a whr string in the application URL

SAML applications can use a preconfigured

profile for home realm discovery
Demonstration: Configuring claims rules

In this demonstration, you will learn how to

configure claim rules
Managing an AD FS deployment

After the installation, you might need to perform

periodic AD FS management tasks, including:
Managing the certificate life cycle
Using automatic certificate rollover, which renews AD FS
certificates once a year
Using the Get-ADFSCertificate cmdlet to view certificate
expiration dates
Using the Update-MsolFederatedDomain cmdlet to
manage certificate rollover when the AD FS token-signing
certificate renews on an annual basis
Using the Set-AdfsSyncProperties cmdlet to change the
primary and secondary AD FS federation servers
Lesson 4: Web Application Proxy overview

What is the Web Application Proxy?

Web Application Proxy and ADFS proxy
Web Application Proxy authentication methods
Scenarios for using the Web Application Proxy
Installing and configuring the Web Application
Proxy
Demonstration: Installing and configuring the
Web Application Proxy
What is the Web Application Proxy?

Windows Server 2016 includes several

improvements to the Web Application Proxy role,
including:
Preauthentication for HTTP Basic app publishing
Wildcard domain publishing of apps
HTTP to HTTPS redirection
HTTP publishing
Web Application Proxy and ADFS proxy

The Web Application Proxy is an AD FS proxy

The same certificate is used on the AD FS server
and the Web Application Proxy
Split DNS allows the same name to resolve to
different IP addresses

AD FS server Web Application Proxy Internet

adfs.adatum.com adfs.adatum.com
172.16.0.21 10.10.0.100
Web Application Proxy authentication methods

Preauthentication types:
AD FS
Pass-through

Intranet application Web Application Proxy Internet

Scenarios for using the Web Application Proxy
You can use the Web Application Proxy to publish:
SharePoint services
Exchange services
Remote Desktop Gateway services
Other, custom line-of-business applications
Corporate
Internet network
Client devices
Web AD DS
Application
Firewall Proxy Firewall
AD FS

Applications
Installing and configuring the Web Application Proxy

You might need to prepare the following items

before installing the Web Application Proxy:
Certificates
Load balancing
DNS

During the deployment of the Web Application

Proxy, you will:
Install the Web Application Proxy
Configure the Web Application Proxy
Update the Web Application Proxy
Demonstration: Installing and configuring the
Web Application Proxy

In this demonstration, you will learn how to:

Install the Web Application Proxy
Export the certificate from the AD FS server
Import the certificate to the Web Application Proxy server
Configure the Web Application Proxy
Lab: Implementing ADFS
Exercise 1: Configuring the AD FS prerequisites
Exercise 2: Installing and configuring ADFS
Exercise 3: Configuring an internal application for ADFS
Exercise 4: Configuring AD FS for federated business
partners
Logon Information
Virtual machines: 20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd

Virtual machine: 20742B-TREY-DC1

User name: TreyResearch\Administrator
Password: Pa55w.rd
Estimated Time: 90 minutes
Lab Scenario

A. Datum Corporation has set up a variety of business relationships with other

companies and customers. Some of these partner companies and customers need
to access business applications that are running on the A. Datum Corporation
network. The business groups at A. Datum Corporation want to provide maximum
level of functionality and access to these companies. The Security and Operations
departments want to help ensure that the partners and customers can access only
the resources that they are authorized for and that implementing the solution
does not significantly increase the workload for the Operations team. A. Datum
Corporation is also working on the migration of some parts of its network
infrastructure to online services, including Azure and Office 365.
To meet these business requirements, A. Datum Corporation is planning to
implement AD FS. In the initial deployment, the company is planning to use AD FS
to implement SSO for internal users accessing an application on a web server. A.
Datum Corporation is partnering with another company, Trey Research. Trey
Research users should be able to access the same application.
As one of the senior network administrators at A. Datum Corporation also, it is
your responsibility to implement the AD FS solution. As a proof of concept, you
are deploying a sample claims-aware application and configuring AD FS to allow
both internal users and Trey Research users to access the same application.
Lab Review

Why is configuring adfs.adatum.com for use as a

host name important for the ADFS service?
How can you test whether ADFS is functioning
properly?
Module Review and Takeaways

Review Questions
Best Practice