Federation Services with AD FS
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Managing Windows Servers in Hybrid Environments: Federation Services with AD FS
Introduction: The Bridge Between On-Premises and Cloud
In the modern enterprise landscape, the traditional perimeter-based security model has largely vanished. Organizations no longer operate solely within the confines of a physical data center; they exist in a hybrid state, spanning local Windows Server environments and cloud-based platforms like Microsoft Azure. This transition creates a significant identity challenge: how do you allow users to access cloud-based applications using the same credentials they use to log into their local workstations?
This is where Active Directory Federation Services (AD FS) becomes a critical component of your infrastructure. AD FS is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on (SSO) access to systems and applications located across organizational boundaries. Instead of replicating your entire user database to the cloud, AD FS allows you to verify identities against your local Active Directory and issue "claims" or tokens to cloud services.
Understanding AD FS is vital for any systems administrator or cloud architect because it represents the gold standard for identity federation in Windows-centric environments. It enables a "log in once, access everything" experience, which is not only a major productivity booster for end-users but also a critical security control. When you manage identity centrally, you reduce the risk of orphaned accounts, simplify password management, and ensure that when an employee leaves the company, their access is revoked everywhere simultaneously.
Understanding the Core Concepts of Federation
To work effectively with AD FS, you must first understand the terminology. Federation is essentially a trust relationship between two parties: the Identity Provider (IdP) and the Relying Party (RP).
- Identity Provider (IdP): This is the system that holds the source of truth for user identities. In our context, this is your on-premises Active Directory Domain Services (AD DS). AD FS acts as the broker that authenticates the user against this directory.
- Relying Party (RP): This is the application or service that trusts the Identity Provider to authenticate the user. Common examples include Microsoft 365, Azure AD (now Microsoft Entra ID), or even third-party SaaS applications like Salesforce or Dropbox.
- Claims: When a user authenticates, AD FS issues a security token containing "claims." A claim is essentially a statement about the user, such as their email address, group membership, or department. The Relying Party reads these claims to decide what level of access to grant the user.
- Trust Relationship: This is the cryptographic bridge between the IdP and the RP. It involves exchanging public keys so that the Relying Party can verify that the tokens it receives were truly issued by your AD FS server and have not been tampered with.
Callout: Authentication vs. Authorization It is common to confuse authentication and authorization, but in the context of AD FS, the distinction is crucial. Authentication is the process of verifying who the user is (e.g., checking their password). Authorization is the process of determining what the user is allowed to do once they are inside the application. AD FS handles the authentication and provides the necessary claims, but the application itself is usually responsible for the final authorization decision based on those claims.
Why Use AD FS in a Hybrid Environment?
You might ask why you wouldn't simply synchronize all your users to the cloud and let the cloud provider handle the authentication. While password hash synchronization (PHS) is a valid and simpler approach for many organizations, AD FS offers specific advantages for high-security or highly regulated environments.
- Authentication Control: With AD FS, authentication always happens on-premises. Your passwords never leave your data center, and the authentication process is handled by your internal servers. This is often a regulatory requirement for banks, healthcare providers, or government agencies.
- Advanced Authentication Policies: AD FS allows for granular authentication policies. You can require multi-factor authentication (MFA) based on the user's location, the application they are accessing, or the device they are using.
- Authentication Bridging: AD FS can act as a bridge between different authentication protocols. For example, your internal apps might use Kerberos, while your cloud apps use SAML (Security Assertion Markup Language). AD FS converts these protocols, allowing you to use a single identity source across diverse technical stacks.
- Instant Revocation: Because authentication is checked against the local directory at the time of access, disabling a user account in your local Active Directory provides near-instant access revocation across all federated services.
Planning Your AD FS Infrastructure
Deploying AD FS is not a task to be taken lightly. Because it sits at the heart of your authentication flow, a failure in your AD FS farm can result in a total blackout of access to your business applications. Proper planning involves considering high availability, security, and scalability.
The Role of the Web Application Proxy (WAP)
You should never expose your internal AD FS servers directly to the internet. Instead, you use the Web Application Proxy (WAP) role. The WAP acts as a reverse proxy, sitting in your DMZ. It receives authentication requests from the internet, validates them, and forwards them to the internal AD FS server. This keeps your internal identity servers hidden from direct external traffic.
High Availability and Load Balancing
For any production environment, you should deploy an AD FS farm rather than a single server. A farm consists of multiple AD FS nodes working together. You will need a load balancer (either a hardware appliance or a software-based solution like Windows Server Network Load Balancing) to distribute incoming requests across the nodes.
Note: When using a load balancer for AD FS, ensure that it supports "sticky sessions" or session affinity if you are using older authentication protocols, though modern AD FS configurations are generally stateless. Always ensure your load balancer performs health checks on the
/adfs/probeendpoint.
Step-by-Step: Deploying a Basic AD FS Environment
Setting up AD FS involves several distinct phases: preparing the environment, installing the role, and configuring the trust.
Phase 1: Prerequisites
Before installing the role, ensure you have the following:
- A dedicated service account: Do not use a Domain Admin account. Use a Managed Service Account (MSA) or Group Managed Service Account (gMSA) for the AD FS service.
- SSL Certificates: You need an SSL certificate that matches the Federation Service Name (e.g.,
sts.yourcompany.com). This must be a publicly trusted certificate if your users are accessing it from the internet. - DNS Configuration: You must have a DNS record (A record) pointing to your load balancer or the AD FS server IP address.
Phase 2: Installing the Role
You can install AD FS using Server Manager or PowerShell. PowerShell is generally preferred for consistency.
# Install the AD FS role
Install-WindowsFeature ADFS-Federation -IncludeManagementTools
# Configure the AD FS Server
# Note: This is a simplified command. In a real environment, you would use a configuration file.
Install-AdfsFarm -CertificateThumbprint "YOUR_THUMBPRINT_HERE" `
-FederationServiceDisplayName "My Organization" `
-ServiceAccountCredential (Get-Credential)
Phase 3: Configuring the Relying Party Trust
Once the server is installed, you need to tell it about the application it will be authenticating for. If you are integrating with Microsoft 365, you would use the Microsoft Entra Connect tool, which automates much of this process. For manual applications, you define a Relying Party Trust:
- Open the AD FS Management Console.
- Right-click Relying Party Trusts and select Add Relying Party Trust.
- Choose Claims aware and import the metadata file from the application provider.
- Configure the Claim Rules. This is where you map AD attributes (like
sAMAccountName) to the claims expected by the application (likeNameID).
Managing Claim Rules: The Heart of the Federation
Claim rules are the logic that determines what information is sent to the application. Without correctly configured claim rules, the Relying Party will not be able to identify the user correctly.
Common Rule Types
- Transform an Incoming Claim: Used to change the format of a claim. For example, changing a UPN ([email protected]) into a simple username.
- Pass Through or Filter an Incoming Claim: Used to pass an LDAP attribute directly through to the token.
- Send LDAP Attributes as Claims: This is the most common rule. It queries Active Directory for a specific attribute (like
mailorgivenName) and sends it as a claim in the token.
Tip: Use the Claim Rule Language While the graphical interface covers 90% of use cases, you can use the "Claim Rule Language" for complex logic. For example, you can write a rule that only sends a "Manager" claim if the user belongs to a specific security group. Always test these rules in a lab environment before deploying to production.
Security Best Practices for AD FS
Because AD FS is a high-value target for attackers, hardening your implementation is non-negotiable.
1. Hardening the Servers
Treat your AD FS servers as Tier-0 assets. Limit administrative access to a very small group of highly trusted individuals. Disable unnecessary services, and ensure that the servers are patched regularly. Use Windows Defender Application Control to prevent unauthorized executables from running.
2. Monitoring and Auditing
AD FS produces a wealth of logs in the Event Viewer under Applications and Services Logs > AD FS > Admin. You should ingest these logs into a SIEM (Security Information and Event Management) system. Look for anomalies such as:
- High volumes of failed logins from a single IP address.
- Logins occurring at unusual times for specific user accounts.
- Changes to the trust configuration.
3. Implementing Multi-Factor Authentication (MFA)
Never rely on passwords alone for federated access. AD FS supports MFA providers out of the box. You can integrate it with Azure MFA, or third-party providers like Duo or RSA. Configure your AD FS policy to require MFA for all external access requests.
Warning: The "Golden Ticket" Risk If an attacker compromises your AD FS token-signing certificate, they can forge tokens and impersonate any user in your organization. Protect your token-signing certificate with extreme care. Use a Hardware Security Module (HSM) if possible, or at the very least, ensure that the private key is not exportable and is stored in a secure location.
Common Pitfalls and Troubleshooting
Even with careful planning, things can go wrong. Here are the most common issues administrators face.
Time Synchronization
AD FS relies heavily on Kerberos for internal authentication. If your AD FS server's clock drifts more than five minutes away from your Domain Controller, authentication will fail. Always ensure your servers are synchronized with a reliable NTP source.
Certificate Expiration
The most common cause of "sudden" AD FS outages is an expired SSL or token-signing certificate. Set up automated alerts in your monitoring system to notify you 60, 30, and 7 days before a certificate expires.
Token Size Issues
If you include too many claims in your token, it can become too large, causing the browser or the application to reject the request. Keep your claim rules lean. Only send the information that the application strictly requires.
Troubleshooting Steps
When a user reports an issue, follow this systematic approach:
- Check the Event Logs: The AD FS Admin log is your first stop. It will usually tell you exactly why a token request was denied (e.g., "Invalid Password," "User not found," or "Certificate expired").
- Verify DNS: Ensure the federation service name resolves to the correct IP address from the client's perspective.
- Test with the IdP-Initiated Sign-on Page: AD FS has a built-in test page (typically
https://sts.yourcompany.com/adfs/ls/idpinitiatedsignon.aspx). Note that this is often disabled by default in newer versions for security reasons; you can enable it temporarily to test if the AD FS service itself is functioning. - Check the Relying Party Metadata: If the application is rejecting the token, check if the metadata (signing certificates) has changed on the application side.
Comparison Table: AD FS vs. Entra ID (Azure AD)
It is helpful to understand where AD FS fits compared to the modern cloud-native approach.
| Feature | AD FS (On-Premises) | Microsoft Entra ID (Cloud) |
|---|---|---|
| Primary Location | On-Premises Windows Server | Cloud-based (SaaS) |
| Authentication Source | Local Active Directory | Cloud Identity (or synced) |
| Maintenance | High (Patching, Certs, Hardware) | Low (Managed by Microsoft) |
| Customization | Highly customizable | Configuration-based |
| Security Model | Perimeter-based / VPN | Identity-based (Zero Trust) |
The Future of Identity: Moving Beyond AD FS
While AD FS remains a powerful tool, the industry is shifting toward "Modern Authentication" methods like OIDC (OpenID Connect) and OAuth 2.0, and moving away from legacy federation in favor of cloud-native identity providers. If you are starting a new project, consider whether you truly need AD FS or if you can achieve your goals using Microsoft Entra ID (formerly Azure AD) with Password Hash Synchronization and Seamless SSO.
Using the cloud-native approach simplifies your infrastructure by removing the need to manage servers, load balancers, and certificates. However, for organizations that require strict data sovereignty or have legacy applications that only speak SAML or WS-Federation and cannot be migrated to the cloud, AD FS will continue to be a vital piece of the puzzle for many years to come.
Advanced Configuration: Custom Authentication Providers
One of the most powerful features of AD FS is its extensibility. You can write your own custom authentication providers in C# to handle unique scenarios. For example, if you have a legacy application that requires a specific hardware token or a biometric check that isn't supported out of the box, you can build a custom adapter.
To do this, you implement the IAuthenticationProvider interface in a .NET assembly. Once compiled, you register the assembly on your AD FS servers and enable it via PowerShell. This level of flexibility is exactly why large enterprises with complex, non-standard requirements continue to rely on AD FS.
Example: Basic Logic for a Custom Authentication Provider
(Conceptual snippet for illustrative purposes)
public class MyCustomAuthProvider : IAuthenticationProvider
{
public AuthenticationMethod GetAuthenticationMethod()
{
return new AuthenticationMethod("https://mycompany.com/auth/mycustom");
}
public void Authenticate(AuthenticationContext context)
{
// Custom logic: e.g., check a custom database,
// verify a unique hardware token, etc.
if (VerifyUser(context.Username, context.Token))
{
context.Complete();
}
else
{
context.Fail();
}
}
}
This code would be part of a class library that interfaces with the AD FS AuthenticationProvider base class. After deployment, you would run Register-AdfsAuthenticationProvider to make it available in the AD FS management console.
Summary of Best Practices
To wrap up, let's distill the most important lessons into actionable best practices for your daily operations:
- Automation: Use PowerShell for all configuration tasks. It ensures that your environment is reproducible and reduces the risk of human error during manual entry.
- Documentation: Keep an up-to-date document of your claim rules and trust relationships. When an application stops working, you need to know exactly what claims it expects.
- Monitoring: Use proactive alerts. Do not wait for a user to call the helpdesk to find out that your token-signing certificate has expired.
- Testing: Always maintain a staging environment that mirrors your production configuration. Never push a change to your primary AD FS farm without testing it first.
- Least Privilege: Ensure that the AD FS service account has only the permissions it needs to read from Active Directory. It should not be a domain administrator.
- Patching: Treat your AD FS servers as high-priority targets for security updates. A vulnerability in AD FS can lead to a full domain compromise.
Common Questions (FAQ)
Q: Can I host AD FS in Azure VMs? A: Yes, absolutely. Many organizations move their AD FS infrastructure to Azure Virtual Machines to remove the burden of physical hardware, while still maintaining the control that AD FS offers.
Q: Do I need a separate certificate for each Relying Party? A: No. You typically use one Token-Signing certificate to sign tokens for all Relying Parties. You only need to ensure that the public portion of this certificate is trusted by the Relying Parties.
Q: What is the difference between AD FS and Web Application Proxy? A: AD FS is the "brains" of the operation—it performs the authentication. The Web Application Proxy is the "shield"—it sits in front of the AD FS server to handle external requests, protecting the internal server from direct exposure.
Q: Can I use AD FS for non-Windows applications? A: Yes. As long as the application supports standard federation protocols like SAML 2.0 or WS-Federation, it can integrate with AD FS regardless of what operating system or programming language it is built on.
Key Takeaways
- Identity is the New Perimeter: In a hybrid world, your identity infrastructure is your most important security asset. AD FS provides the critical bridge between internal directories and cloud applications.
- Trust is Everything: AD FS is built on the concept of trust relationships. Maintaining these relationships—through valid certificates and correct metadata—is the primary task of an AD FS administrator.
- Security is Non-Negotiable: Because AD FS manages the keys to your kingdom, it requires a hardened infrastructure, consistent monitoring, and robust multi-factor authentication policies.
- Don't Overcomplicate: Only send the claims that an application actually needs. Over-provisioning claims increases the token size and creates unnecessary security risks.
- Preparation Prevents Outages: Most AD FS failures are caused by expired certificates or clock skew. Proactive monitoring of these two items will prevent the vast majority of your helpdesk tickets.
- Know When to Use It: While AD FS is powerful, it is complex. Always evaluate if a cloud-native identity solution (like Microsoft Entra ID) can meet your needs before opting for the management overhead of an AD FS farm.
- Automation is Key: Use PowerShell to manage your farm. It makes your infrastructure predictable, easy to audit, and much faster to recover in the event of a disaster.
By mastering AD FS, you gain the ability to provide your users with a secure and efficient way to access the tools they need, no matter where those tools are hosted. It is a cornerstone skill for any professional managing Windows Servers in a hybrid environment.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons