Home » IT - Microsoft » Configure extranet access for AD FS on Windows Server 2012 R2

Configure extranet access for AD FS on Windows Server 2012 R2

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

February 2016
M T W T F S S
« Nov   Mar »
1234567
891011121314
15161718192021
22232425262728
29  

NO! A LOS TOROS

Disclaimer

All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.
Advertisements

This topic describes how to install the Remote Access role with the Web Application Proxy role service and how to configure the Web Application Proxy server to connect to an Active Directory Federation Services (AD FS) server.

To deploy Web Application Proxy, you must install the Remote Access role with the Web Application Proxy role service on a server that will act as the Web Application Proxy server.

Repeat this procedure for all of the servers that you want to deploy as Web Application Proxy servers.

  1. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

  2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

  3. On the Select server roles dialog, select Remote Access, and then click Next.

  4. Click Next twice.

  5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

  6. On the Confirm installation selections dialog, click Install.

  7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

  1. The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
    

You must configure Web Application Proxy to connect to an AD FS server.

Repeat this procedure for all of the servers that you want to deploy as Web Application Proxy servers.

  1. On the Web Application Proxy server, open the Remote Access Management console: RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. In the navigation pane, click Web Application Proxy.

  3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

  4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

  5. On the Federation Server dialog, do the following, and then click Next:

    • In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.fabrikam.com.
    • In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.
  6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

    The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.fabrikam.com.

  7. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

  8. On the Results dialog, verify that the configuration was successful, and then click Close.

  1. The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    The following command will prompt you to enter credentials of a local administrator account on the AD FS servers.

    Install-WebApplicationProxy –CertificateThumprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b' -FederationServiceName fs.fabrikam.com
    

The extranet facing Web Application Proxy is able to throttle requests from the extranet if the latency between the Web Application Proxy and the federation server increases beyond a certain threshold. Based on this feature, the Web Application Proxy will reject external client authentication requests if the federation server is overloaded as detected by the latency between the Web Application Proxy and the federation server to service authentication requests. It is closely related to a similar algorithm employed for congestion control in TCP known as Additive Increase Multiplicative Decrease (AIMD). The solution works by using a congestion window represented by a pool of tokens that it leases out to each incoming request to the Web Application Proxy.

In a high latency DMZ network or a highly loaded Web Application Proxy, it is possible for authentication requests to be rejected even if the federation server can satisfy these requests successfully based on the default settings that control this algorithm. In such an environment, we strongly recommend modifying the settings to be less aggressive by performing the following steps.

  1. On your Web Application Proxy computer, start an elevated command window.

  2. Navigate to the ADFS directory, at %WINDIR%\adfs\config.

  3. Change the congestion control settings from its default values to ‘<congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64" enabled="true" />’.

  4. Save and close the file.

  5. Restart the AD FS service by running ‘net stop adfssrv’ and then ‘net start adfssrv’.

Source: https://msdn.microsoft.com/en-us/library/azure/dn528859.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."

T.B.D.

There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"

WordPress.com

WordPress.com is the best place for your personal blog or business site.

DocSharing

Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: