Home » IT - Microsoft » Requirements for deploying AD FS

Requirements for deploying AD FS

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

February 2016
M T W T F S S
« Nov   Mar »
1234567
891011121314
15161718192021
22232425262728
29  

NO! A LOS TOROS

Disclaimer

All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.
Advertisements

For a new AD FS deployment to create a relying party trust successfully with Azure AD, you must first make sure that your corporate network infrastructure is configured to support AD FS requirements for accounts, name resolution, and certificates. AD FS has the following types of requirements:

AD FS software must be installed on any computer that you are preparing for the federation server or federation server proxy role. You can install this software by either using the AD FS Setup Wizard or by performing a quiet installation using the adfssetup.exe /quiet parameter at a command line.

For a base installation platform, AD FS requires either the Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 operating system. AD FS has a separate installation package for the Windows Server 2008, Windows Server 2008 R2 operating system platforms (and it is commonly referred to as AD FS 2.0) or it can be installed by adding the Federation Service server role as part of the Windows Server 2012 or Windows Server 2012 R2 operating system.

If you are using AD FS 2.0 or AD FS in Windows Server 2012, you will deploy and configure federation server proxies as part of implementing your SSO solution.

If you are using AD FS in Windows Server 2012 R2, you will deploy Web Application Proxies in order to configure your AD FS deployment for extranet access. In Windows Server 2012 R2, a Web Application Proxy, a new role service of the Remote Access server role, is used to enable your AD FS for accessibility from outside of the corporate network. For more information, see Web Application Proxy Overview.

During the AD FS installation process, the setup wizard attempts to automatically check for and, if necessary, install both prerequisite applications and dependent hotfixes. In most cases the setup wizard will install all of the prerequisite applications necessary for AD FS to operate and install.

However, there is one exception: when you are installing AD FS on the Windows Server 2008 platform (as a separate installation package known as AD FS 2.0). If this is the case in your deployment situation, you will first need to make sure that .NET 3.5 SP1 is installed on the servers running Windows Server 2008 before installing the AD FS 2.0 software, as it is a prerequisite of AD FS 2.0 and it will not automatically be installed by the AD FS 2.0 Setup Wizard on this platform. If .NET 3.5 SP1 is not installed, the AD FS 2.0 Setup Wizard will prevent installation of the AD FS 2.0 software.

You must install AD FS 2.0 hotfixes after you have installed AD FS 2.0. For more information, see Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0.

AD FS supports software virtualization of both the federation server and federation server proxy roles. To account for redundancy, we recommend that you store each AD FS virtual machine on separate, physical virtual servers.

For more information about setting up a virtual server environment using Microsoft virtualization technology, see the Hyper-V Getting Started Guide.

Certificates play the most critical role in securing communications between federation servers, Web Application Proxies, federation server proxies, the cloud service, and web clients. The requirements for certificates vary, depending on whether you are setting up a federation server,a Web Application Proxy, or federation server proxy computer, as described in the following tables.

Federation servers require the certificates in the following table.

 

Certificate type Description What you need to know before deploying

SSL certificate (also referred to as a Server Authentication Certificate) for AD FS in Windows Server 2012 R2

This is a standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers, clients, Web Application Proxy, and federation server proxy computers.

AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. The same certificate should be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you will be able import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:

  1. Subject name and subject alternative name must contain your federation service name, such as fs.contoso.com
  2. Subject alternative name must contain the value enterpriseregistration followed by the UPN suffix of your organization, such as, for example,enterpriseregistration.corp.contoso.com

SSL certificate (also referred to as a Server Authentication Certificate) for legacy versions of AD FS

This is a standard Secure Sockets Layercertificate that is used for securing communications between federation servers, clients, Web Application Proxy, and federation server proxy computers.

AD FS requires an SSL certificate when configuring federation server settings. By default, AD FS uses the SSL certificate configured for the Default Web Site in Internet Information Services (IIS).

The Subject name of this SSL certificate is used to determine the Federation Service name for each instance of AD FS that you deploy. For this reason, you may want to consider choosing a Subject name on any new certification authority (CA)-issued certificates that best represents the name of your company or organization to the cloud service and this name must be Internet-routable. For example, in the diagram provided earlier in this article (see “Phase 2”), the subject name of the certificate would be fs.fabrikam.com.

ImportantImportant
AD FS requires this SSL certificate to be without a dotless (short-name) Subject name.

Required: Because this certificate must be trusted by clients of AD FS and Microsoft cloud services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte.

Token-signing certificate

This is a standard X.509 certificate that is used for securely signing all tokens that the federation server issues and that the cloud service will accept and validate.

The token-signing certificate must contain a private key, and it should chain to a trusted root in the Federation Service. By default, AD FS creates a self-signed certificate. However, depending on the needs of your organization, you can change this later to a CA-issued certificate by using the AD FS Management snap-in.

Recommendation: Use the self-signed token-signing certificate generated by AD FS. By doing so, AD FS will manage this certificate for you by default. For example, in case this certificate is expiring, AD FS will generate a new self-signed certificate to use ahead of time.

CautionCaution
The token-signing certificate is critical to the stability of the Federation Service. In case it is changed, the cloud service needs to be notified about this change. Otherwise, the requests to the cloud service will fail. For more information about managing certificates across the AD FS federation server farm and the cloud service, see Update trust properties.

Federation server proxies require the certificate in the following table.

 

Certificate type Description What you need to know before deploying

SSL certificate

This is a standard SSL certificate that is used for securing communications between a federation server, federation server proxy or Web Application Proxy, and Internet client computers.

This is same server authentication certificate as the one used by the federation servers in the corporate network. This certificate must have the same subject name as the SSL certificate configured on the federation server in the corporate network.

If you are using AD FS in Windows Server 2008 or Windows Server 2012, you must install this certificate on the Default Web Site of the federation server proxy computer.

If you are using AD FS in Windows Server 2012 R2, you must import this certificate to the Personal Certificates store on the computer that will function as your Web Application Proxy.

Recommendation: Use the same server authentication certificate as is configured on the federation server that this federation server proxy or Web Application Proxy will connect to.

For more information about the certificates that federation servers and federation server proxies use, see AD FS 2.0 Design Guide or Windows Server 2012 AD FS Design Guide.

Configuring the following network services appropriately is critical for successful deployment of AD FS in your organization.

For AD FS to function, TCP/IP network connectivity must exist between the client, domain controllers, federation servers, and federation server proxies.

The primary network service that is critical to the operation of AD FS, other than Active Directory, is Domain Name System (DNS). When DNS is deployed, users can use friendly computer names that are easy to remember to connect to computers and other resources on IP networks.

The process of updating DNS to support AD FS consists of configuring the:

  • Internal DNS servers in the corporate network to resolve the cluster DNS name to the cluster IP address for the NLB cluster you configure on the corporate network NLB host. For example, resolving fs.fabrikam.com to 172.16.1.3. 
  • Perimeter network DNS servers to resolve the cluster DNS name to the cluster IP address for the NLB cluster you configure on the perimeter NLB host. For example, resolving fs.fabrikam.com to 192.0.2.3.

NLB is required to provide fault tolerance, high availability, and load-balancing across multiple nodes. It can be implemented with hardware, software, or a combination of both. You need to configure the DNS resource records based on your Federation Service name for the NLB cluster so that the fully qualified domain name (FQDN) of the cluster (also referred to as cluster DNS name in this article) will be resolved to its cluster IP address.

For general information about the NLB cluster IP address or cluster FQDN, see Specifying the Cluster Parameters.

If your computers have Extended Protection for Authentication, and you use Firefox, Chrome, or Safari, you may not be able to sign in to the cloud service using Integrated Windows authentication from within the corporate network. If this situation occurs, your users might receive logon prompts on a regular basis. This is due to the default configuration (on Windows 7 and patched client operating systems) for AD FS and Extended Protection for Authentication.

Until Firefox, Chrome, and Safari support Extended Protection for Authentication, the recommended option is for all clients accessing the cloud service to install and use Windows Internet Explorer 8. If you want to use single sign-on for the cloud service with Firefox, Chrome, or Safari, there are two other solutions to consider. However, there may be security concerns in taking either of these approaches. For more information, see Microsoft Security Advisory: Extended protection for authentication. The solutions include:

  • Uninstalling the Extended Protection for Authentication patches from your computer.
  • Changing the Extended Protection for Authentication setting on the AD FS server. For more information, see Configuring Advanced Options for AD FS 2.0.
  • Reconfiguring the authentication settings for the AD FS webpage on each federation server from Integrated Windows authentication to using Forms Based Authentication.

Source: https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."

T.B.D.

There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"

WordPress.com

WordPress.com is the best place for your personal blog or business site.

DocSharing

Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: