AD FS 2.0 Workshop – High-availability platform complete walkthrough

Active Directory Federation Services (AD FS) 2.0 helps simplify access to applications and other systems with an open and interoperable claims-based model. The AD FS 2.0 platform provides a fully redesigned Windows-based Federation Service that supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

This workshop is designed to help to set up an High-Availability AD FS 2.0 platform through a step by step tutorial.

1. Resources

1.1. Architecture Diagram

1.2. Hardware

1.2.1. Federation Servers

In order to ensure in high availability service, two Windows Server 2008 R2 Standard US servers are used. Here’s a summary of the hardware configurations used:

NOTE: Due to NLB requirements, Network adapter MAC addresses must be static.

1.2.2. Federation Server Proxies

In order to ensure in high availability service, two Windows Server 2008 R2 Standard US servers are used. Here’s a summary of the hardware configurations used:

NOTE: Due to NLB requirements, Network adapter MAC addresses must be static.

1.3. Software

1.3.1. Federation Servers

The following software components are required on the federation servers:

• Windows 2008 R2 Standard US fully patched installation
• An Active Directory domain to join the servers in
• To reduce the infrastructure costs and given the low level of material resources required, both federation servers will be promoted Domain Controllers.
• An ADFS domain service account (here ‘FEDERATION\svc_adfs’)
• The latest .NET Framework, here the v. 4.5 is used
• IIS web server
• Windows Identity Foundation
• Microsoft SQL Server 2008 R2 Standard Edition (Express Edition can do the job but it would be a SPOF)
• ADFS 2.0 RTW
• Microsoft Network Load Balancing service

1.3.2. Federation Server Proxies

The following software components are required on the federation server proxies:

• Windows 2008 R2 Standard US fully patched installation
• The latest .NET Framework, here the v. 4.5 is used
• IIS web server
• Windows Identity Foundation
• ADFS 2.0 RTW
• Microsoft Network Load Balancing service

2. Installation Prerequisites

2.1. Federation Servers

2.2. Federation Server Proxies

3. Installation

3.1. Federation Servers

3.1.1. Installation of the AD FS 2.0 Software

3.1.2. SSL certificates requirements creation for the federation service

3.1.3. Creation of the first federation server in a new federation server farm

3.1.4. Addition of the second federation server in the existing federation server farm

3.1.5. Installation and configuration of the Windows Network Load-Balancing feature

3.1.6. Database mirroring

In order to remove the SPOF implied by the unique database that contains the AD FS configuration, a MS SQL Server databases mirroring is implemented.

3.1.6.1. The SQL part

3.1.6.2. The AD FS part

Now the ‘AdfsConfiguration’ and ‘AdfsArtifactStore’ databases are mirrored, we have to update the AD FS connection string to make the AD FS Service aware of this configuration and make it able to get its configuration from the principal server or its partner if the principal server is down.

1. Stop the first AD FS Server with the following command:

   net stop adfssrv
   

2. Open a PowerShell Console and run the following commands (be sur to replace the ‘PrincipalSqlServerName’ and ‘MirrorSQLServerName’ values in the connection string with your Principal and Mirror servers IP addresses or FQDNs):

   $temp=Get-WMIObject -namespace root/ADFS -class SecurityTokenService
   $temp.ConfigurationdatabaseConnectionstring="Data Source=PrincipalSqlServerName; Failover Partner=MirrorSQLServerName;Initial Catalog=AdfsConfiguration;Integrated Security=true"
   $temp.put()
   

3. Start the first AD FS Server with the following command:

   net start adfssrv
   

4. Repeat these steps on the second AD FS server
5. Update the AD FS Artifact Store configuration by running the following PowerShell commands (be sur to replace the ‘PrincipalSqlServerName’ and ‘MirrorSQLServerName’ values in the connection string with your Principal and Mirror servers IP addresses or FQDNs):

   Add-PSSnapin Microsoft.ADFS.Powershell
   Set-adfsproperties –artifactdbconnection "Data Source=PrincipalSqlServerName; Failover Partner=MirrorSQLServerName;Initial Catalog=AdfsArtifactStore;Integrated Security=true"
   

3.2. Federation Server Proxies

3.2.1. SSL certificate installation

3.2.2. Installation of the AD FS 2.0 Software

3.2.3. Configuration of the AD FS Reverse Proxy Servers

3.2.4. Installation and configuration of the Windows Network Load-Balancing feature

4. Documentation and resources

4.1. Official documentation

4.1.1. Technet

• Active Directory Federation Services (AD FS) 2.0: http://technet.microsoft.com/en-us/library/adfs2%28v=ws.10%29.aspx
• Active Directory Federation Services Overview: http://technet.microsoft.com/en-us/library/hh831502.aspx
• AD FS 2.0 Deployment Guide: http://technet.microsoft.com/en-us/library/dd807092%28v=ws.10%29.aspx
• AD FS 2.0 Troubleshooting Guide: http://technet.microsoft.com/fr-fr/library/adfs2-troubleshooting-guide%28v=ws.10%29.aspx

4.1.2. MSDN

• Customizing the AD FS 2.0 Sign-In Pages Using Web.config: http://msdn.microsoft.com/en-us/library/ee895366.aspx
• Using Active Directory Federation Services 2.0 in Identity Solutions: http://msdn.microsoft.com/en-us/magazine/ee335705.aspx

4.2. Misc online resources

• Claims-Based Identity Blog: http://blogs.msdn.com/b/card/
• MS MVP® Jorge de Almeida Pinto: http://jorgequestforknowledge.wordpress.com
• Pipe2Text.com: http://pipe2text.com
• Steve on Security: http://www.syfuhs.net

4.3. Utilities

4.3.1. Windows PowerShell

In addition to graphical user interface (GUI) tools, such as the AD FS 2.0 Management snap-in for Microsoft Management Console (MMC), you can use the Windows PowerShell™ cmdlets that are included with AD FS 2.0 as an optional toolset to configure and administer AD FS.
First thing to do is to register the cmdlets to the PowerShell session. Here’s the command:

Add-PSSnapin Microsoft.Adfs.PowerShell

4.3.2. AD FS Diagnostic Tool

The tool is very simple to use and provides a graphical UI. In order to perform distributed diagnosis, i.e. diagnose failures based on the configuration of multiple machines in the scenario, it’s necessary to copy the out file generated by the tool each time it’s run and use it as an input/output file when running the tool on the next machine.

http://blogs.technet.com/b/adfs/archive/2007/11/01/adfs-diagnostic-tool.aspx

4.3.3. Active Directory Migration Tool (ADMT)

The Active Directory Migration Tool (ADMT) can be used to migrate users, groups, managed service accounts, and computers between Active Directory domains in different forests (interforest migration) or between Active Directory domains in the same forest (intraforest migration).

It’s also usefull to perform object migrations and security translation as necessary so that users can maintain access to network resources during the migration process.

http://technet.microsoft.com/en-US/library/cc974332%28v=ws.10%29.aspx

5. Then, what’s next?

• AD FS 2.1 (Windows 2012): http://technet.microsoft.com/en-us/library/hh831502.aspx#BKMK_NEW
• Changes in AD FS 2.1 from AD FS 2.0: http://msinnovations.wordpress.com/2012/11/08/changes-in-adfs-2-1-from-adfs-2-0/