Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs and hybrid identity
1. Ten most common mistakes
with AD FS and Hybrid Identity
Sander Berkouwer
Tweet and win an Ignite 2016 ticket #itproceed#activedirectory #hybrididentity
2. Agenda
Federation
A small primer on the open protocols used today for
federating identity and achieving hybrid identity
Most common mistakes
when planning, deploying and operating AD FS
… and how to avoid them
to get the most out of your hybrid identity implementation
4. Why we need federation
NTLM and Kerberos
Kerberos (1993) was designed for ‘safe’ networks
NTLM and Kerberos have serious problems
Active Directory
Active Directory domain memberships are typically Windows-only
Domain trusts leak information and scale badly
Granular device-agnostic authentication
We need device-agnostic, open protocols, designed for the web
We need multi-factor authentication
6. Behind the mist
On Premises
Active Directory
Domain Services
Azure
Active Directory
1
Active Directory
Federation Services
Active Directory Federation Trust
4
5
6
7
8Colleague
Directory
Synchronization
Tool
Azure Active Directory
Management API
Azure Active Directory
integrated Application
Internet
2
3
7. Federation benefits
SAML and Oauth2 are Internet-ready
Transport over Universal Firewall Bypass Protocol (TCP443)
Tickets are compressed, optionally encrypted
Relying Party trusts are very flexible
Ticket content and authentication is defined per relying party trust
Relying party trusts are flexible and scalable
Multi-factor authentication
AD FS in Windows Server 2012 R2 is extensible
Extensions are configurable per relying party trust, per network
9. Some organizations need their own AD FS infrastructure
Local authentication requirements (legal, multi-factor authentication)
Local authentication possibilities (claims issuance, transformation rules)
Azure Active Directory with Password Sync
2488 Software-as-a-Service apps in the Azure Active Directory App Gallery
Easily configure Single Sign-On and user account management
Azure Active Directory
Azure Active Directory Free may contain up to 500,000 accounts
Federating with up to 5 apps is free. Online accounts may suffice
1. AD FS when you don’t need it
10. 2. Build upon an unhealthy Active Directory
Attribute integrity and lingering objects
Objects, attributes on some Domain Controllers, not on others
Resulting in unpredictable AD FS authentication
Private top level domains
DNS Domain Name for domains ending with .local, .int
User Principal Name (UPN) needs to be added and changed
UPN syntax mismatches
Critical for solutions with Directory Sync Tool / Azure Active Directory Sync
Use the IdFix DirSync Error Remediation Tool
11. 3. The AD FS Service Account
Password changes, security implications
AD FS is usually Internet-facing, so it benefits from extra security
We want regular password changes, host restrictions, etc.
group Managed Service Accounts (gMSAs)
gMSAs solve ‘the service account problem’ for farms, AD FS supported
gMSAs offer Automatic SPN and password management
Windows Server 2008 DFL
2008 Domain Functional Level offers automatic SPN management
Windows 8 and Windows Server 2012 (and up) offer Cmdlets
12. 4. Designing the right AD FS infrastructure
AD FS Server Farms
AD FS can easily be deployed highly available, if need be with Windows NLB
AD FS Proxies / Web App Proxies can be deployed in perimeter networks
Windows Internal Database or SQL Server
A WID farm has a limit of five federation servers, does not support token
replay detection or artifact resolution
SQL Server High Availability
Take advantage of your existing SQL Server investments
Take advantage of database mirroring, failover clustering, monitoring
13. 5. Skewed Time Synchronization
Time Sync within an Active Directory environment
W32time follows Active Directory hierarchy and sites configuration
Set the time for an environment through the PDCe
Time Sync within Virtual Machines
Virtual machines always sync time with host on boot
Continuous time sync is configured with VMware tools, Hyper-V ICs, etc.
Time Sync within Perimeter Networks
Could be virtual machine time sync, could be an external source
Will be none, if you don’t configure it…
14. 6. Certificate Distrust
Certificates in use by AD FS
Token-signing and token-decryption certificates
Service communication certificate
Certificates with 1024bit key length
Certificates under 1024bits key length are blocked
Request and use certificates with 2048bits key length throughout the chain
Certificates with SHA-1 hash algorithm
Starting 2016, SHA-1 will be deprecated
Request and use certs with SHA-2 hash algorithms throughout the chain
15. 7. Forget Enterprise Registration
AD FS in Windows Server 2012 R2
Many new features!
Workplace Join
Device-agnostic silent Single Sign-On (SSO)
Employees verify devices, enroll a certificate, get cookie
EnterpriseRegistration
WorkPlace Join AutoDiscover requires DNS Record per UPN Suffix
Use enterpriseregistration.domain.tld as Subject Alternative Name
16. 8. Windows Updates, anyone?
AD FS is regularly updated
Security updates, like MS15-062
Scalability and stability updates
AD FS uses Windows Update
AD FS updates don’t require Microsoft Update :-)
AD FS updates only light up after installing the Server Role
Wait, test, then deploy updates
Wait two weeks before deploying updates, or
Deploy updates to a test network before production
17. 9. Best Practices Analyzers
Best Practices Analyzers
Part of Server Manager in Windows Server 2008 R2 and up
Avoid 90% of situations with data or functionality loss
AD FS Best Practices Analyzer
Checks the Active Directory Federation service
Will be updated with additional checks in the future
Other BPAs of use:
Active Directory Domain Services Best Practices Analyzer
Active Directory Certificate Services Best Practices Analyzer
18. 10. Processes, processes, processes
Monitoring of the AD FS Service
Check the availability and/or usage of the AD FS infrastructure
Use Systems Center Operations Manager with GSM, Azure Operational
Insights and/or the Azure Active Directory Connect Health Service *
Auditing of the AD FS Service
AD FS offers built-in auditing and logging of errors, warnings, information
Auditing of claims issuance
Logging of success and failure audits
Log suspicious or unintended activity
20. Avoid the mistakes and you’ll be fine
1. Don’t build AD FS when you don’t need to
2. Don’t build upon an unhealthy Active Directory
3. Use gMSAs instead of ‘ordinary’ service acounts for AD FS
4. Design the right infrastructure
5. Take care of adequate time synchronization
6. Use certificates with 2048+bit keylength and SHA-2 algorithm
7. Don’t forget to plan for Enterprise Registration
8. Don’t forget to install Windows Update
9. Don;’t forget to use the Best Practice Analyzers
10. Monitor, audit and backup the AD FS infrastructure
21. Rules of thumb
AD FS is an extension to Active Directory
Make sure Active Directory is healthy
Rename, migrate or restructure .local domains
Plan your AD FS implementation
Set requirements, plan accordingly, deploy securely
Take care of adequate time synchronization
Don’t forget to manage AD FS
Use the Best Practices Analyzers (BPAs)
Take care of information security, like monitoring, auditing, backup
22. And win a Lumia 635
Feedback form will be sent to you by email
Give me feedback